CVE-2025-54584: 
JavaScript vulnerability analysis and mitigation

GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. The vulnerability was discovered in July 2025 and affects all GitProxy installations up to version 1.19.1. The issue was fixed in version 1.19.2 (GitHub Advisory, NVD).

The vulnerability stems from the parsePush.ts file's method of locating Git PACK files by searching for the last occurrence of the string 'PACK' in the incoming push payload using buffer.lastIndexOf('PACK'). This implementation assumes that any 'PACK' string near the end of the push is the beginning of the actual binary Git packfile. However, Git objects can contain arbitrary content, including the word 'PACK' in binary or non-compressed blobs. The vulnerability has been assigned a CVSS v4.0 base score of 7.0 (High) with the vector string CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N (GitHub Advisory).

Attackers with push access can hide commits from scanning/approval and make changes that bypass policies, potentially inserting unwanted or malicious code into a GitProxy protected repository. The vulnerability impacts all users or organizations relying on GitProxy to enforce policies and prevent unapproved changes. While it requires no elevated privileges beyond regular push access and no extra user interaction, it does require considerable technical skill and intentional effort to exploit (GitHub Advisory).

The vulnerability has been fixed in GitProxy version 1.19.2. All users and organizations are strongly advised to upgrade to this latest version to receive the critical security fixes. The fix includes improvements to the packfile parsing logic and additional validation checks (GitHub Release).