CVE-2025-54586
Last modified
CVE-2025-54586 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Finos | Gitproxy | < 1.19.2 |
References
- https://github.com/finos/git-proxy/releases/tag/v1.19.2Patch, Release Notes
- https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93gExploit, Third Party Advisory
- https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93gExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-54586?
How severe is CVE-2025-54586?
How do I fix CVE-2025-54586?
Are you affected by CVE-2025-54586?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST