CVE-2025-54586

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-54586
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a
https://github.com/finos/git-proxy/releases/tag/v1.19.2
https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g
https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g
Configurations

No configuration.

History

31 Jul 2025, 18:15

Type Values Removed Values Added
References () https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g - () https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g -
Summary
  • (es) GitProxy es una aplicación que se interpone entre los desarrolladores y un endpoint remoto de Git. En las versiones 1.19.1 y anteriores, los atacantes pueden inyectar commits adicionales en el paquete enviado a GitHub, commits que no están dirigidos por ninguna rama. Aunque estos commits "ocultos" nunca aparecen en el historial visible del repositorio, GitHub los muestra en sus URL de commit directo. Esto permite a un atacante extraer datos confidenciales sin dejar rastro en la vista de la rama. Esta vulnerabilidad se considera de alto impacto porque compromete completamente la confidencialidad del repositorio. Se ha corregido en la versión 1.19.2.

30 Jul 2025, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-30 22:15

Updated : 2025-07-31 18:42

NVD link : CVE-2025-54586

Mitre link : CVE-2025-54586

CVE.ORG link : CVE-2025-54586

JSON object : View

Products Affected

No product.

CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor