CVE-2025-54586 – GitProxy versions 1.19.1 and below allow attack... (How to Fix)

Q: What is the severity of CVE-2025-54586?

CVE-2025-54586 has a CVSS score of 7.1 (HIGH). GitProxy versions 1.19.1 and below allow attackers to inject hidden commits into Git packs sent to GitHub. These commits don't appear in branch history but remain accessible via direct URLs, enabling data exfiltration without visible traces. Organizations using vulnerable GitProxy versions are affected.

📋 TL;DR

GitProxy versions 1.19.1 and below allow attackers to inject hidden commits into Git packs sent to GitHub. These commits don't appear in branch history but remain accessible via direct URLs, enabling data exfiltration without visible traces. Organizations using vulnerable GitProxy versions are affected.

💻 Affected Systems

Products:

GitProxy

Versions: 1.19.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GitProxy deployments that proxy Git operations to GitHub.

📦 What is this software?

Gitproxy by Finos

View all CVEs affecting Gitproxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of repository confidentiality with sensitive data exfiltrated without detection in version control history.

🟠

Likely Case

Attackers exfiltrate source code, credentials, or other sensitive data from private repositories.

🟢

If Mitigated

No data exfiltration occurs due to proper access controls and monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker access to GitProxy endpoint and knowledge of target repository structure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.19.2

Vendor Advisory: https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g

Restart Required: Yes

Instructions:

1. Stop GitProxy service. 2. Update to version 1.19.2 via package manager or manual installation. 3. Restart GitProxy service. 4. Verify version with 'gitproxy --version'.

🔧 Temporary Workarounds

Disable GitProxy

linux

Temporarily disable GitProxy and use direct Git connections

sudo systemctl stop gitproxy
sudo systemctl disable gitproxy

🧯 If You Can't Patch

Implement strict network access controls to limit GitProxy exposure
Enable detailed logging of all GitProxy transactions and monitor for unusual patterns

🔍 How to Verify

Check if Vulnerable:

Check GitProxy version with 'gitproxy --version' or examine package version

Check Version:

gitproxy --version

Verify Fix Applied:

Confirm version is 1.19.2 or higher and test Git operations through proxy

📡 Detection & Monitoring

Log Indicators:

Unusual Git pack sizes
Multiple commit operations from single sources
Failed commit validations

Network Indicators:

Abnormal Git protocol traffic patterns
Large pack file transfers

SIEM Query:

source="gitproxy" AND (event="pack_upload" OR event="commit_push") AND size>threshold

📊 Metadata

CVE ID: CVE-2025-54586

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-200

EPSS Score: 0.04% exploit probability (11.5th percentile)

Published: July 30, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110 Patch
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a Patch
https://github.com/finos/git-proxy/releases/tag/v1.19.2 Patch,Release Notes
https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g Exploit,Third Party Advisory
https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54586, you might also want to check these: