CVE-2025-54584

30.07.2025, 20:15

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-115 - Misinterpretation of Input
The software misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

References

https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f

https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a

https://github.com/finos/git-proxy/releases/tag/v1.19.2

https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv