GitProxy Hidden Commits Injection Vulnerability Allows Undetected Data Exfiltration

A vulnerability in GitProxy versions through 1.19.1 allows attackers to inject hidden commits into the pack sent to GitHub. These commits, not referenced by any branch, remain invisible in the repository's history but can be accessed via their direct commit URLs. This flaw enables the exfiltration of sensitive data without detection, as the hidden commits do not appear in the branch view. The vulnerability arises because GitProxy trusts only the ref-update line and fails to verify the packfile's contents, allowing malicious clients to append unreferenced commits. The issue has been addressed in GitProxy version 1.19.2.

Impact

Exploitation of this vulnerability leads to unauthorized injection of commits into a GitHub repository, allowing for undetected data exfiltration. The injected commits can be accessed through their commit URLs, creating a high risk of confidentiality breaches.

Reproduction

To reproduce this vulnerability, first push a visible commit to a branch on a GitHub repository via GitProxy. After the push is approved, create a packfile that includes a hidden commit not referenced by any branch. This packfile can be uploaded to the repository using the GitHub API, injecting the hidden commit without leaving a trace in the branch history.

Remediation

Users are advised to upgrade to GitProxy version 1.19.2 or 2.0.0, both of which include patches for this vulnerability.