CVE-2025-54585 – CVE-2025-54585 allows attackers with regular pu... (How to Fix)

Q: What is the severity of CVE-2025-54585?

CVE-2025-54585 has a CVSS score of 6.5 (MEDIUM). CVE-2025-54585 allows attackers with regular push access to bypass GitProxy's commit approval enforcement when creating new branches. This vulnerability affects all organizations using GitProxy versions 1.19.1 and below to enforce policy controls on Git repositories. Attackers can push unapproved changes to child branches without proper oversight.

📋 TL;DR

CVE-2025-54585 allows attackers with regular push access to bypass GitProxy's commit approval enforcement when creating new branches. This vulnerability affects all organizations using GitProxy versions 1.19.1 and below to enforce policy controls on Git repositories. Attackers can push unapproved changes to child branches without proper oversight.

💻 Affected Systems

Products:

GitProxy

Versions: 1.19.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where GitProxy is configured to enforce commit approval policies. Requires attacker to have push access and an administrator to approve pushes to child branches.

📦 What is this software?

Gitproxy by Finos

View all CVEs affecting Gitproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass all policy enforcement, pushing malicious code or configuration changes to production repositories, potentially leading to supply chain attacks, credential exposure, or system compromise.

🟠

Likely Case

Developers bypass approval workflows to push unauthorized changes, violating compliance requirements and potentially introducing security vulnerabilities or breaking builds.

🟢

If Mitigated

With proper monitoring and secondary controls, unauthorized changes can be detected and reverted before causing significant damage.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires push access and understanding of Git branch creation workflows. No authentication bypass needed beyond regular push permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.2

Vendor Advisory: https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6

Restart Required: Yes

Instructions:

1. Stop GitProxy service. 2. Update to version 1.19.2 using package manager or manual installation. 3. Restart GitProxy service. 4. Verify functionality.

🔧 Temporary Workarounds

Disable new branch creation

all

Temporarily restrict branch creation permissions to administrators only

git config --system receive.denyCurrentBranch updateInstead
git config --system receive.denyNonFastForwards true

Enhanced monitoring

all

Implement additional logging and alerts for branch creation events

Configure Git hooks to log all branch creation events
Set up alerts for unauthorized branch creation patterns

🧯 If You Can't Patch

Implement mandatory code review requirements outside of GitProxy for all branch merges
Deploy network segmentation to restrict GitProxy access to authorized users only

🔍 How to Verify

Check if Vulnerable:

Check GitProxy version: git-proxy --version or examine package version. If version is 1.19.1 or lower, system is vulnerable.

Check Version:

git-proxy --version

Verify Fix Applied:

After updating, verify version is 1.19.2 or higher. Test branch creation with approval policies to ensure they are properly enforced.

📡 Detection & Monitoring

Log Indicators:

Unexpected branch creation events
Pushes to new branches without prior approval logs
Mismatch between approval timestamps and push events

Network Indicators:

Unusual Git push patterns to new branches
Increased frequency of branch creation requests

SIEM Query:

source="git-proxy" AND (event="branch_creation" OR event="push") | stats count by user, branch, timestamp

📊 Metadata

CVE ID: CVE-2025-54585

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-285

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: July 30, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a Patch
https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531 Patch
https://github.com/finos/git-proxy/releases/tag/v1.19.2 Patch,Release Notes
https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54585, you might also want to check these: