CVE-2025-54584

Description

### Summary An attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. ### Details The affected version of `parsePush.ts` attempts to locate the Git PACK file by looking for the last occurrence of the string "PACK" in the incoming push payload: ```ts const packStart = buffer.lastIndexOf('PACK'); ``` This assumes that any "PACK" string near the end of the push is the beginning of the actual binary Git packfile. However, Git objects (commits, blobs, etc.) can contain arbitrary content (including the word PACK) in binary or non-compressed blobs. An attacker could abuse this by: 1. Crafting a custom packfile using low-level Git tools or by manually forging one 2. Placing the string "PACK" inside a commit body or a binary file blob that appears after the real PACK start in the stream. The parser then ignores the actual push and treats the binary blob/commit body as the PACK file. The actual push contents may violate existing push policies. ### PoC 1. Make a commit on any branch (example: `test-branch`) containing the string "PACK" 2. Manually generate a custom packfile with both branches using `git pack-objects` or a low-level library/custom script: a) Add the string "PACK" after the real packfile's PACK header in the binary stream 3. Push using a custom client/raw protocol injection ### Impact Attackers with push access can hide commits from scanning/approval and make changes that bypass policies, potentially inserting unwanted/malicious code into a GitProxy protected repository. The vulnerability impacts all users or organizations relying on GitProxy to enforce policies and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction, however, it does require a considerable amount of technical skill and intentional effort to accomplish.

How to fix CVE-2025-54584

To remediate CVE-2025-54584, upgrade the affected package to a fixed version below.

• —upgrade to 1.19.2 or later

Is CVE-2025-54584 being exploited?