A high-severity vulnerability has been discovered in multiple GitProxy products, which could allow an authenticated attacker to gain unauthorized access to sensitive source code repositories. Successful exploitation could lead to the theft of intellectual property, exposure of trade secrets, and potential for an attacker to inject malicious code into the software supply chain. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this significant risk.

The vulnerability is a command injection flaw within the Git request parsing component of the GitProxy application. An authenticated attacker with low-level privileges can craft a malicious Git command containing specially formatted arguments. When the GitProxy server processes this command, it fails to properly sanitize the user-supplied input, allowing the injected commands to be executed on the underlying server with the privileges of the GitProxy service account. This could allow an attacker to bypass repository-level access controls, read sensitive files from the server, or exfiltrate entire Git repositories to which they do not have legitimate access.

This vulnerability is rated as High severity with a CVSS score of 7.1, posing a direct threat to an organization's intellectual property. The primary business impact is the potential for data exfiltration, leading to the loss of proprietary source code, credentials, and other sensitive information stored in Git repositories. This can result in significant financial loss, damage to competitive advantage, and reputational harm. Furthermore, if an attacker can write to repositories, they could inject malicious code, creating a supply chain risk that impacts downstream customers and products.

Immediate Action: The primary remediation is to apply the security updates provided by GitProxy across all affected instances without delay. Before and after patching, system administrators should review GitProxy access and error logs for any anomalous or suspicious activity that could indicate past or ongoing exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring on GitProxy servers. Specifically, monitor for unusual or malformed Git commands in access logs, particularly those containing shell metacharacters (|, &, ;, $, (, )). Monitor for unexpected outbound network connections from the GitProxy server and look for child processes being spawned by the GitProxy service that are outside of normal operational behavior.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. This includes placing the GitProxy instance behind a Web Application Firewall (WAF) with strict rulesets designed to detect and block command injection and path traversal patterns. Additionally, enhance access control policies to restrict proxy access to only trusted users and IP ranges, and consider isolating the GitProxy server in a segmented network zone to limit its potential reach if compromised.

Public Exploit Available: false

Given the high severity rating (CVSS 7.1) and the critical nature of the assets protected by GitProxy (source code), we strongly recommend that organizations treat this vulnerability with high urgency. The potential for intellectual property theft and supply chain compromise represents a significant business risk. Although this CVE is not currently on the CISA KEV list and no active exploitation has been reported, patching should be prioritized and completed immediately. Proactive monitoring should be implemented as a secondary control to detect any potential attempts to exploit this flaw.