CVE-2025-54586 is a high-impact vulnerability affecting finos git-proxy versions 1.19.1 and below. GitProxy acts as an intermediary between developers and Git remote endpoints such as GitHub. The vulnerability allows an attacker with at least limited privileges (PR:L) to inject extra commits into the pack data sent to GitHub. These injected commits are not referenced by any branch and thus remain hidden from the repository's visible commit history. However, GitHub still serves these commits at their direct commit URLs, enabling an attacker to exfiltrate sensitive information embedded within these hidden commits without detection through normal branch views. This exposure of sensitive data corresponds to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability does not require user interaction (UI:N) and can be exploited remotely (AV:N) with low attack complexity (AC:L). The integrity impact is low since the main issue is confidentiality compromise, and availability is unaffected. The vulnerability is fixed in git-proxy version 1.19.2. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 7.1, reflecting a high severity due to the potential for significant confidentiality breaches in source code repositories, which may contain proprietary or sensitive business information. The flaw undermines the confidentiality guarantees of the repository by allowing unauthorized access to hidden commits that should not be accessible to unauthorized actors.

For European organizations, this vulnerability poses a significant risk to the confidentiality of source code and other sensitive data stored in Git repositories managed via git-proxy. Organizations in sectors such as finance, technology, manufacturing, and government that rely on GitHub and git-proxy for software development and version control could have proprietary code, credentials, or confidential project information exposed. The stealthy nature of the attack—hidden commits not visible in branch histories—makes detection difficult, increasing the risk of prolonged data exfiltration without notice. This could lead to intellectual property theft, competitive disadvantage, regulatory compliance violations (e.g., GDPR if personal data is exposed), and reputational damage. The requirement for at least limited privileges means insider threats or compromised developer accounts could be leveraged to exploit this vulnerability. Given the widespread use of GitHub and git-proxy in European software development environments, the impact could be broad, affecting both private enterprises and public sector entities.

European organizations should immediately upgrade git-proxy to version 1.19.2 or later to remediate this vulnerability. In addition, organizations should audit their git-proxy deployment configurations and access controls to ensure that only trusted and authenticated users have commit privileges. Implement strict monitoring and logging of commit activities, especially for unusual or unreferenced commits, to detect potential injection attempts. Employ network segmentation and least privilege principles to limit access to git-proxy services. Conduct regular security reviews of repository contents to identify any unexpected or hidden commits. Integrate automated scanning tools that can detect anomalous commit patterns or unauthorized data exposure. Finally, educate developers and DevOps teams about this vulnerability and encourage prompt patching and vigilance against suspicious repository activity.