Home > Vulnerability Database > CVE-2025-54584

Mend.io Vulnerability Database

CVE-2025-54584

Good to know:

Date: July 30, 2025

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.

Severity Score

5.7

Related Resources (7)

Url: https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv

Url: https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f

Url: https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-54584

Url: https://github.com/finos/git-proxy

Url: https://github.com/finos/git-proxy/releases/tag/v1.19.2

Url: https://www.mend.io/vulnerability-database/CVE-2025-54584

Severity Score

5.7

Weakness Type (CWE)

Misinterpretation of Input

CWE-115

Top Fix

Upgrade Version

Upgrade to version @finos/git-proxy - 1.19.2

Learn More

CVSS v3.1

Base Score:	5.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-54584

Good to know:

Date: July 30, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?