GitProxy bypasses approvals when pushing multiple branches_CVE-2025-54583

8.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Description

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.

Basic Information

ID CVE-2025-54583

Source GitHub_M

Published Jul 30, 2025 at 19:59

Modified Jul 30, 2025 at 20:13

Affected Product

Vendor finos

Product git-proxy

Version < 1.19.2

Affected Versions finos git-proxy < 1.19.2

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2.",
    "published": "2025-07-30T19:59:44.317Z",
    "modified": "2025-07-30T20:13:10.804Z",
    "type": "cve",
    "title": "GitProxy bypasses approvals when pushing multiple branches",
    "source": "GitHub_M",
    "references": "https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4\nhttps://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a\nhttps://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9\nhttps://github.com/finos/git-proxy/releases/tag/v1.19.2",
    "id": "CVE-2025-54583",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "finos git-proxy < 1.19.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "git-proxy",
    "version": "< 1.19.2",
    "vendor": "finos",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}