CVE-2025-54584 is a high-severity vulnerability affecting finos git-proxy versions prior to 1.19.2. GitProxy acts as an intermediary between developers and Git remote endpoints such as github.com, parsing Git packfiles to manage commits and pushes. The vulnerability arises from a misinterpretation of input related to the PACK signature detection mechanism in the parsePush.ts file. Specifically, an attacker can craft a malicious Git packfile embedding a misleading PACK signature within commit content. By carefully constructing the packet structure, the attacker tricks the parser into treating invalid or unintended data as a legitimate packfile. This can lead to bypassing approval workflows or hiding commits, undermining the integrity and trustworthiness of the source code management process. The vulnerability is classified under CWE-115, which concerns improper input validation leading to misinterpretation of data. The CVSS 4.0 score is 7.0 (high), reflecting network attack vector, high complexity, low privileges required, no user interaction, and high impact on integrity. No known exploits are currently reported in the wild, but the potential for abuse in software development pipelines is significant. The issue is resolved in git-proxy version 1.19.2.

For European organizations, this vulnerability poses a significant risk to the integrity of software development and deployment processes. Organizations relying on finos git-proxy to mediate Git operations may face risks of unauthorized code changes being introduced or malicious commits being hidden from review, potentially leading to compromised software supply chains. This can result in the introduction of backdoors, malware, or other malicious code into production environments. The impact extends to regulatory compliance, especially under frameworks like the EU's NIS2 Directive and GDPR, where software integrity and security are critical. The vulnerability could also undermine trust in collaborative development environments, affecting both private enterprises and public sector organizations engaged in software development or DevOps practices. Given the network-based attack vector and no requirement for user interaction, exploitation could be automated and widespread if weaponized, increasing the threat surface for European entities.

European organizations should immediately upgrade finos git-proxy to version 1.19.2 or later to remediate the vulnerability. In addition, organizations should implement strict validation and monitoring of Git packfiles and commits passing through git-proxy, including anomaly detection for unusual packfile structures or unexpected commit content. Incorporating additional approval and code review steps independent of git-proxy parsing can help detect suspicious commits. Employing cryptographic signing of commits and verifying signatures before acceptance can mitigate risks of hidden or tampered commits. Network segmentation and limiting access to git-proxy instances to trusted developer networks reduce exposure. Organizations should also audit existing commit histories for signs of manipulation and monitor for unusual activity in their CI/CD pipelines. Finally, maintaining up-to-date threat intelligence and applying patches promptly will reduce the window of exposure.