logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54584 @finos/git-proxy

Package

Manager: npm
Name: @finos/git-proxy
Vulnerable Version: >=0 <1.19.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

EPSS: 0.00034 pctl0.08173

Details

GitProxy Backfile Parsing Exploit ### Summary An attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. ### Details The affected version of `parsePush.ts` attempts to locate the Git PACK file by looking for the last occurrence of the string "PACK" in the incoming push payload: ```ts const packStart = buffer.lastIndexOf('PACK'); ``` This assumes that any "PACK" string near the end of the push is the beginning of the actual binary Git packfile. However, Git objects (commits, blobs, etc.) can contain arbitrary content (including the word PACK) in binary or non-compressed blobs. An attacker could abuse this by: 1. Crafting a custom packfile using low-level Git tools or by manually forging one 2. Placing the string "PACK" inside a commit body or a binary file blob that appears after the real PACK start in the stream. The parser then ignores the actual push and treats the binary blob/commit body as the PACK file. The actual push contents may violate existing push policies. ### PoC 1. Make a commit on any branch (example: `test-branch`) containing the string "PACK" 2. Manually generate a custom packfile with both branches using `git pack-objects` or a low-level library/custom script: a) Add the string "PACK" after the real packfile's PACK header in the binary stream 3. Push using a custom client/raw protocol injection ### Impact Attackers with push access can hide commits from scanning/approval and make changes that bypass policies, potentially inserting unwanted/malicious code into a GitProxy protected repository. The vulnerability impacts all users or organizations relying on GitProxy to enforce policies and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction, however, it does require a considerable amount of technical skill and intentional effort to accomplish.

Metadata

Created: 2025-07-30T16:40:07Z
Modified: 2025-07-31T11:18:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-xxmh-rf63-qwjv/GHSA-xxmh-rf63-qwjv.json
CWE IDs: ["CWE-115"]
Alternative ID: GHSA-xxmh-rf63-qwjv
Finding: F184
Auto approve: 1