CVE-2025-54586
BaseFortify
Publication date: 2025-07-30
Last updated on: 2025-08-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| finos | gitproxy | to 1.19.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
In GitProxy versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub that are not pointed to by any branch. These hidden commits do not appear in the repository's visible history, but GitHub still serves them at their direct commit URLs. This allows attackers to exfiltrate sensitive data without leaving any trace in the branch view.
How can this vulnerability impact me? :
This vulnerability can completely compromise the confidentiality of your repository by allowing attackers to inject hidden commits containing sensitive data. Since these commits are not visible in the branch history but accessible via direct URLs, attackers can exfiltrate data stealthily without detection.
What immediate steps should I take to mitigate this vulnerability?
Upgrade GitProxy to version 1.19.2 or later, as this version contains the fix for the vulnerability that allows attackers to inject hidden commits. This will prevent attackers from exfiltrating sensitive data through hidden commits.