CVE-2025-54584 HIGH

CVE-2025-54584: GitProxy is vulnerable to a packfile parsing exploit

Vendor Finos
Product git-proxy
Weakness CWE-115
Published July 30, 2025
Last update July 30, 2025

CVSS base score

7.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

What the vulnerability does

01Description

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.

Key dates

02Disclosure timeline

July 30, 2025 CVE published
July 30, 2025 Record updated