N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54583

GHSA ID

GHSA-qr93-8wwf-22g4

EPSS Score

CWE

CWE-863

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54583

CVE-2025-54583: GitProxy Approval Bypass When Pushing Multiple Branches

Summary

This vulnerability allows a user to push to the remote repository while bypassing policies and explicit approval. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository.

Because it can allow policy violations to go undetected, we classify this as a High impact vulnerability.

Details

The source of the vulnerability is the push parser action parsePush.ts. It reads the first branch and parses it, while ignoring subsequent branches (silently letting them go through).

Although the fix involves multiple improvements to the commit and push parsing logic, the core solution is to prevent multiple branch pushes from going through in the first place:

if (refUpdates.length !== 1) {
  step.log('Invalid number of branch updates.');
  step.log(`Expected 1, but got ${refUpdates.length}`);
  step.setError('Your push has been blocked. Please make sure you are pushing to a single branch.');
  action.addStep(step);
  return action;
}

PoC

Make a commit on a branch:

git checkout -b safe-branch
echo "Approved code" > file.txt
git add .
git commit -m "Approved code"
git push proxy safe-branch

Wait for approval of safe-branch.
Make a commit on a separate branch with a secret, for example:

git checkout -b bad-branch
echo "SECRET=abc123" > .env
git add .
git commit -m "Bad code"

Push both at the same time:

git push proxy safe-branch bad-branch

Expected Result

Ideally, this would force checks to run for the second branch while sending it out for approval. Meanwhile, the first branch would be pushed to the remote. A simpler solution is to simply prevent multiple branch pushes.

Actual Result

Both branches get pushed to the remote, and second branch bypasses the proxy.

Impact

Attackers with push access can bypass review policies, potentially inserting unwanted/malicious code into a GitProxy-protected repository.

Miggo Vulnerability Database

→

CVE-2025-54583

CVE-2025-54583:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-54583

GHSA ID

GHSA-qr93-8wwf-22g4

EPSS Score

CWE

CWE-863

Published

7/30/2025

Updated

7/30/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@finos/git-proxy	npm	<= 1.19.1	1.19.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allows bypassing security checks by pushing multiple branches at once. The provided patch for commit a620a2f33c39c78e01783a274580bf822af3cc3a clearly shows that the exec function within src/proxy/processors/push-action/parsePush.ts was modified to prevent this. The core of the fix is the introduction of a check that explicitly validates the number of branch updates in a push and rejects any push with more than one. The vulnerable function is identified as parsePush.exec because its displayName is set to this value, and it is the entry point for parsing the push request where the multi-branch bypass occurs. The previous implementation incorrectly parsed the push data, only considering the first branch and ignoring any others, which is the root cause of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54583: GitProxy Approval Bypass When Pushing Multiple Branches

Summary

Details

PoC

Expected Result

Actual Result

Impact

CVE-2025-54583:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

Basic Information

Basic Information

CVE-2025-54583: GitProxy Approval Bypass When Pushing Multiple Branches

Summary

Details

PoC

Expected Result

Actual Result

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI