Login Sign Up

CVE-2025-54583

6.5 MEDIUM
Authentication Bypass

📋 TL;DR

GitProxy versions 1.19.1 and below contain an authorization bypass vulnerability that allows users to push code to remote repositories without triggering required policy checks or approvals. This could enable developers to push sensitive data, malicious code, or unauthorized changes directly into production repositories. Organizations using GitProxy for Git operations are affected.

💻 Affected Systems

Products:
  • GitProxy
Versions: 1.19.1 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of GitProxy 1.19.1 and below are vulnerable regardless of configuration.

📦 What is this software?

Gitproxy by Finos

View all CVEs affecting Gitproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could push malicious code containing backdoors, secrets, or malware directly into production repositories, potentially compromising entire software supply chains and downstream systems.

🟠

Likely Case

Developers accidentally or intentionally bypass security policies to push code containing secrets, vulnerabilities, or unauthorized changes that would normally be blocked.

🟢

If Mitigated

If proper network segmentation and access controls are in place, the impact is limited to unauthorized code pushes within the GitProxy environment.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid GitProxy user credentials but no special technical knowledge beyond normal Git operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.2

Vendor Advisory: https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4

Restart Required: Yes

Instructions:

1. Stop GitProxy service. 2. Backup current configuration. 3. Upgrade to version 1.19.2 using package manager or manual installation. 4. Restart GitProxy service. 5. Verify functionality.

🔧 Temporary Workarounds

Disable GitProxy push operations

all

Temporarily disable all push operations through GitProxy while maintaining read-only access

git config --global --add proxy.denyPush true

Implement network-level restrictions

all

Use firewall rules to restrict GitProxy access to trusted networks only

🧯 If You Can't Patch

  • Implement mandatory code review requirements for all repository pushes
  • Deploy additional security scanning tools that inspect commits before they reach production

🔍 How to Verify

Check if Vulnerable:

Check GitProxy version: git-proxy --version or examine package manager output

Check Version:

git-proxy --version

Verify Fix Applied:

Confirm version is 1.19.2 or higher and test that policy checks trigger on push attempts

📡 Detection & Monitoring

Log Indicators:

  • Push operations without corresponding policy check logs
  • Successful pushes from users who previously had push requests denied
  • Unusual push patterns or timing

Network Indicators:

  • Git push traffic bypassing expected approval workflows
  • Direct repository access without proxy intervention

SIEM Query:

source="git-proxy" AND (event="push" AND NOT event="policy_check")

📊 Metadata

CVE ID: CVE-2025-54583
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-863
EPSS Score: 0.04% exploit probability (10.3th percentile)
Published: July 30, 2025
Last Updated: August 1, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54583, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)