Description
GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv
Patch x_refsource_misc
https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f
Patch x_refsource_misc
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a
Patch, Release Notes x_refsource_misc
https://github.com/finos/git-proxy/releases/tag/v1.19.2
Scores
CVSS v3
5.7
EPSS
0.0007
EPSS Percentile
22.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-115
Status
published
Products (2)
finos/git-proxy
0 - 1.19.2npm
finos/gitproxy
< 1.19.2
Published
Jul 30, 2025
Tracked Since
Feb 18, 2026