CVE-2025-54586

Name of the Vulnerable Software and Affected Versions GitProxy versions 1.19.1 and below

Description GitProxy is an application that acts as an intermediary between developers and a Git remote endpoint. Attackers can inject extra commits into the pack sent to GitHub, commits that are not associated with any branch. These “hidden” commits are not visible in the repository’s history but are still accessible via their direct commit URLs, allowing an attacker to exfiltrate sensitive data without leaving a trace in the branch view. This compromises repository confidentiality. The vulnerability occurs because the proxy only trusts the ref-update line and does not inspect the packfile’s contents, failing to verify which commits are actually included in the pack.

Recommendations Update to GitProxy version 1.19.2 or later.