{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54586", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-25T16:19:16.094Z", "datePublished": "2025-07-30T21:14:41.238Z", "dateUpdated": "2025-07-31T17:55:46.333Z"}, "containers": {"cna": {"title": "GitProxy is susceptible to a hidden commits injection attack", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"}, {"name": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110", "tags": ["x_refsource_MISC"], "url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110"}, {"name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "tags": ["x_refsource_MISC"], "url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"}, {"name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"}], "affected": [{"vendor": "finos", "product": "git-proxy", "versions": [{"version": "< 1.19.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-30T21:14:41.238Z"}, "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."}], "source": {"advisory": "GHSA-v98g-8rqx-g93g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-31T13:40:01.971988Z", "id": "CVE-2025-54586", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T17:55:46.333Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54586", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-31T13:40:01.971988Z"}}}], "references": [{"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-31T13:40:03.304Z"}}], "cna": {"title": "GitProxy is susceptible to a hidden commits injection attack", "source": {"advisory": "GHSA-v98g-8rqx-g93g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "finos", "product": "git-proxy", "versions": [{"status": "affected", "version": "< 1.19.2"}]}], "references": [{"url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g", "name": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110", "name": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "name": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "name": "https://github.com/finos/git-proxy/releases/tag/v1.19.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-30T21:14:41.238Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54586", "state": "PUBLISHED", "dateUpdated": "2025-07-31T17:55:46.333Z", "dateReserved": "2025-07-25T16:19:16.094Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-30T21:14:41.238Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:finos:gitproxy:*:*:*:*:*:*:*:*", "matchCriteriaId": "5066AC65-E6FA-4582-AE66-0CBBED07F809", "versionEndExcluding": "1.19.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren\u2019t pointed to by any branch. Although these \u201chidden\u201d commits never show up in the repository\u2019s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High\u2011impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2."}, {"lang": "es", "value": "GitProxy es una aplicaci\u00f3n que se interpone entre los desarrolladores y un endpoint remoto de Git. En las versiones 1.19.1 y anteriores, los atacantes pueden inyectar commits adicionales en el paquete enviado a GitHub, commits que no est\u00e1n dirigidos por ninguna rama. Aunque estos commits \"ocultos\" nunca aparecen en el historial visible del repositorio, GitHub los muestra en sus URL de commit directo. Esto permite a un atacante extraer datos confidenciales sin dejar rastro en la vista de la rama. Esta vulnerabilidad se considera de alto impacto porque compromete completamente la confidencialidad del repositorio. Se ha corregido en la versi\u00f3n 1.19.2."}], "id": "CVE-2025-54586", "lastModified": "2025-08-01T20:03:03.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2025-07-30T22:15:25.120", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110"}, {"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a"}, {"source": "[email protected]", "tags": ["Patch", "Release Notes"], "url": "https://github.com/finos/git-proxy/releases/tag/v1.19.2"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "[email protected]", "type": "Secondary"}]}

{}