Vulnerabilites related to finos - git-proxy
CVE-2025-54583 (GCVE-0-2025-54583)
Vulnerability from cvelistv5
Published
2025-07-30 19:59
Modified
2025-07-30 20:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4 | x_refsource_CONFIRM | |
| https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a | x_refsource_MISC | |
| https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9 | x_refsource_MISC | |
| https://github.com/finos/git-proxy/releases/tag/v1.19.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54583",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:11:53.549022Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:13:10.804Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:00:01.652Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-qr93-8wwf-22g4",
"discovery": "UNKNOWN"
},
"title": "GitProxy bypasses approvals when pushing multiple branches"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54583",
"datePublished": "2025-07-30T19:59:44.317Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:13:10.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54585 (GCVE-0-2025-54585)
Vulnerability from cvelistv5
Published
2025-07-30 20:17
Modified
2025-07-30 20:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6 | x_refsource_CONFIRM | |
| https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a | x_refsource_MISC | |
| https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531 | x_refsource_MISC | |
| https://github.com/finos/git-proxy/releases/tag/v1.19.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54585",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:30:12.139864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:30:27.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:17:20.844Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-39p2-8hq9-fwj6",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a new branch approval exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54585",
"datePublished": "2025-07-30T20:17:20.844Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-30T20:30:27.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54584 (GCVE-0-2025-54584)
Vulnerability from cvelistv5
Published
2025-07-30 20:01
Modified
2025-07-30 20:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-115 - Misinterpretation of Input
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv | x_refsource_CONFIRM | |
| https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f | x_refsource_MISC | |
| https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a | x_refsource_MISC | |
| https://github.com/finos/git-proxy/releases/tag/v1.19.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:18:53.257366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:19:21.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:01:16.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv"
},
{
"name": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-xxmh-rf63-qwjv",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a packfile parsing exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54584",
"datePublished": "2025-07-30T20:01:16.338Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:19:21.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54586 (GCVE-0-2025-54586)
Vulnerability from cvelistv5
Published
2025-07-30 21:14
Modified
2025-07-31 17:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g | x_refsource_CONFIRM | |
| https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110 | x_refsource_MISC | |
| https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a | x_refsource_MISC | |
| https://github.com/finos/git-proxy/releases/tag/v1.19.2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54586",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-31T13:40:01.971988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-31T17:55:46.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T21:14:41.238Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"
},
{
"name": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-v98g-8rqx-g93g",
"discovery": "UNKNOWN"
},
"title": "GitProxy is susceptible to a hidden commits injection attack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54586",
"datePublished": "2025-07-30T21:14:41.238Z",
"dateReserved": "2025-07-25T16:19:16.094Z",
"dateUpdated": "2025-07-31T17:55:46.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}