Vulnerability DatabaseCVE-2025-54586
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-54586
July 30, 2025
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2.
Affected Packages
@finos/git-proxy (NPM):
Affected version(s) >=1.0.0 <1.19.2
Fix Suggestion:
Update to version 1.19.2
Related Resources (6)
https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a
https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110
https://github.com/finos/git-proxy
https://github.com/finos/git-proxy/releases/tag/v1.19.2
https://nvd.nist.gov/vuln/detail/CVE-2025-54586
Do you need more information?
Contact Us
CVSS v4
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
EPSS
Base Score:
0.04