CVE-2025-54584 (GCVE-0-2025-54584)
Vulnerability from cvelistv5
Published
2025-07-30 20:01
Modified
2025-07-30 20:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-115 - Misinterpretation of Input
Summary
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54584",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T20:18:53.257366Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:19:21.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "git-proxy",
"vendor": "finos",
"versions": [
{
"status": "affected",
"version": "\u003c 1.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-115",
"description": "CWE-115: Misinterpretation of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T20:01:16.338Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv"
},
{
"name": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f"
},
{
"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"
},
{
"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"
}
],
"source": {
"advisory": "GHSA-xxmh-rf63-qwjv",
"discovery": "UNKNOWN"
},
"title": "GitProxy is vulnerable to a packfile parsing exploit"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54584",
"datePublished": "2025-07-30T20:01:16.338Z",
"dateReserved": "2025-07-25T16:19:16.093Z",
"dateUpdated": "2025-07-30T20:19:21.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-54584\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-30T20:15:38.357\",\"lastModified\":\"2025-08-01T20:04:28.420\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.\"},{\"lang\":\"es\",\"value\":\"GitProxy es una aplicaci\u00f3n que se interpone entre los desarrolladores y un endpoint remoto de Git (p. ej., github.com). En las versiones 1.19.1 y anteriores, un atacante puede manipular un archivo de paquete de Git malicioso para explotar la detecci\u00f3n de la firma PACK en el archivo parsePush.ts. Al incrustar una firma PACK enga\u00f1osa en el contenido del commit y construir cuidadosamente la estructura del paquete, el atacante puede enga\u00f1ar al analizador para que trate datos no v\u00e1lidos o no deseados como el archivo de paquete. Esto podr\u00eda permitir eludir la aprobaci\u00f3n u ocultar commits. Este problema se solucion\u00f3 en la versi\u00f3n 1.19.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-115\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.19.2\",\"matchCriteriaId\":\"5066AC65-E6FA-4582-AE66-0CBBED07F809\"}]}]}],\"references\":[{\"url\":\"https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/finos/git-proxy/releases/tag/v1.19.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Release Notes\"]},{\"url\":\"https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-54584\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-30T20:18:53.257366Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-30T20:19:11.836Z\"}}], \"cna\": {\"title\": \"GitProxy is vulnerable to a packfile parsing exploit\", \"source\": {\"advisory\": \"GHSA-xxmh-rf63-qwjv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"finos\", \"product\": \"git-proxy\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.19.2\"}]}], \"references\": [{\"url\": \"https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv\", \"name\": \"https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f\", \"name\": \"https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a\", \"name\": \"https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/finos/git-proxy/releases/tag/v1.19.2\", \"name\": \"https://github.com/finos/git-proxy/releases/tag/v1.19.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-115\", \"description\": \"CWE-115: Misinterpretation of Input\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-30T20:01:16.338Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-54584\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-30T20:19:21.613Z\", \"dateReserved\": \"2025-07-25T16:19:16.093Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-30T20:01:16.338Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…