CVE-2025-54584
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-08-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| finos | gitproxy | to 1.19.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-115 | The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GitProxy versions 1.19.1 and below, where an attacker can craft a malicious Git packfile that exploits the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as a valid packfile. This can potentially allow the attacker to bypass approval processes or hide commits.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing an attacker to bypass approval mechanisms or hide commits in GitProxy, which could lead to unauthorized or malicious code changes being accepted without detection.
What immediate steps should I take to mitigate this vulnerability?
Upgrade GitProxy to version 1.19.2 or later, as this version contains the fix for the vulnerability.