Name of the Vulnerable Software and Affected Versions:

GitProxy versions 1.19.1 and below

Description:

GitProxy is an application that acts as an intermediary between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject additional commits into the pack sent to GitHub, which are not referenced by any branch. These “hidden” commits can be served by GitHub at their direct commit URLs, allowing an attacker to exfiltrate sensitive data without altering the repository’s visible history. This issue completely compromises repository confidentiality.

Recommendations:

Update to version 1.19.2 or later.