Vulnerability in Finos Git-proxy

CVE-2025-54584

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.t…

EPSS: 0.002 (45.5th percentile) — read the EPSS interpretation.

Affected products

Finos Git-proxy — versions < 1.19.2

Weakness classification (CWE)

CWE-115

References

https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv (x_refsource_CONFIRM)
https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f (x_refsource_MISC)
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a (x_refsource_MISC)
https://github.com/finos/git-proxy/releases/tag/v1.19.2 (x_refsource_MISC)