Description
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2.
References (4)
Core 4
Core References
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6
Patch x_refsource_misc
https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a
Patch x_refsource_misc
https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531
Patch, Release Notes x_refsource_misc
https://github.com/finos/git-proxy/releases/tag/v1.19.2
Scores
CVSS v3
6.5
EPSS
0.0006
EPSS Percentile
18.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-285
Status
published
Products (2)
finos/git-proxy
0 - 1.19.2npm
finos/gitproxy
< 1.19.2
Published
Jul 30, 2025
Tracked Since
Feb 18, 2026