SEC-2025-011

Server-Side Request Forgery in Git Proxy Connector

Severity: High Status: Resolved
Published
Jan 15, 2025
CVSS 3.1
7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Components
git-proxy-connector v2.1.0–v2.3.4
Resolution
\n
v2.3.5 (Jan 14, 2025)

Executive Summary

The .git Security Engineering team has identified and resolved a Server-Side Request Forgery (SSRF) vulnerability in the git-proxy-connector module. This component is used to route outgoing Git operations through custom network proxies for enterprise environments.

An authenticated attacker with access to a workspace configuration could craft a malicious proxy URL pointing to internal resources, potentially leaking sensitive metadata or triggering unintended service-to-service calls. The vulnerability has been fully patched in version 2.3.5, and all managed instances have been automatically updated.

Technical Details

The vulnerability stems from insufficient validation of the PROXY_URL environment variable and configuration overrides. The connector failed to enforce strict allowlisting for internal IP ranges and loopback addresses, allowing crafted URLs to bypass DNS rebinding protections.

# Vulnerable configuration pattern config: git_proxy: endpoint: "http://attacker-controlled-proxy.internal:8080" follow_redirects: true verify_ssl: false

The connector would forward authenticated Git requests through the specified endpoint without validating that the final resolved IP belonged to the expected proxy network. This allowed an attacker to pivot internal traffic to arbitrary hosts reachable from the runner environment.

Impact

Mitigation & Remediation

All self-hosted and managed instances have been patched to v2.3.5. The fix implements:

  1. Strict allowlisting for proxy hostnames and resolved IP ranges
  2. Automatic rejection of loopback, link-local, and RFC 1918 addresses unless explicitly whitelisted
  3. Redirect tracking with a maximum hop limit of 3 and strict origin validation
  4. Forced TLS verification for all proxy endpoints

If you are running a custom deployment, update immediately:

# Docker / Kubernetes docker pull git.dev/runner-proxy:v2.3.5 # Helm helm upgrade git-proxy ./chart --set image.tag=v2.3.5

Timeline

Date (UTC) Event
Jan 08, 2025 Vulnerability reported via HackerOne (#114829)
Jan 09, 2025 Confirmed & scoped by Security Team
Jan 12, 2025 Fix merged & regression tests passed
Jan 14, 2025 v2.3.5 released; automated rollout complete
Jan 15, 2025 Public advisory published

Acknowledgments

We thank 0xVortex for responsible disclosure and cooperation throughout the patching process. This vulnerability was discovered independently and was not part of any coordinated attack campaign.

References

}