CVE-2025-54584— GitProxy is vulnerable to a packfile parsing exploit
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-54584
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GitProxy is vulnerable to a packfile parsing exploit
Source: NVD (National Vulnerability Database)
Vulnerability Description
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入的错误解释
Source: NVD (National Vulnerability Database)
Vulnerability Title
The Fintech Open Source Foundation GitProxy 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
The Fintech Open Source Foundation GitProxy是The Fintech Open Source Foundation基金会的一个在Git之上部署自定义推送保护和策略。 The Fintech Open Source Foundation GitProxy 1.19.1及之前版本存在安全漏洞,该漏洞源于处理恶意Git packfile时可能绕过批准或隐藏提交。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-54584
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-54584
请登录查看更多情报信息。
Same Patch Batch · finos · 2025-07-30 · 4 CVEs total
| CVE-2025-54586 | 7.1 HIGH | GitProxy is susceptible to a hidden commits injection attack |
| CVE-2025-54585 | GitProxy is vulnerable to a new branch approval exploit | |
| CVE-2025-54583 | GitProxy bypasses approvals when pushing multiple branches |
IV. Related Vulnerabilities
Same weakness: CWE-115
- CVE-2025-68113
ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Re - CVE-2025-5826
Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_ms - CVE-2025-5747
WOLFBOX Level 2 EV Charger MCU Command Parsing Misinterpreta - CVE-2025-32908
Libsoup: denial of service on libsoup through http/2 server - CVE-2024-11169
Unhandled Exception Leading to Server Crash in danny-avila/l
V. Comments for CVE-2025-54584
No comments yet