Open-Source Intelligence Pitfalls: How CVE-2025-3535 Exposes Metadata in Public Git Repos via OWASP ZAP

Executive Summary: CVE-2025-3535 reveals a critical vulnerability where metadata leaks from public Git repositories can be exploited via OWASP ZAP, enabling attackers to harvest sensitive information such as commit hashes, contributor identities, and file paths. This flaw underscores the risks of open-source intelligence (OSINT) in DevOps pipelines and highlights the need for stricter metadata sanitization and access controls. Organizations leveraging OWASP ZAP for security testing must implement compensating controls to mitigate unintended disclosure.

Key Findings

• Metadata Leakage: Public Git repositories expose unintended metadata through OWASP ZAP’s active scanning modules, including commit hashes, contributor names, and file paths.
• OSINT Risk: Attackers can weaponize this metadata to reconstruct project histories, identify contributors, or launch targeted phishing campaigns.
• OWASP ZAP’s Role: Default configurations of OWASP ZAP inadvertently facilitate metadata harvesting, particularly in CI/CD pipelines where repositories are scanned for vulnerabilities.
• Mitigation Gaps: Current Git hardening practices (e.g., .gitignore, git-secrets) fail to address OWASP ZAP-induced metadata leaks.
• Regulatory Impact: Compliance frameworks like ISO 27001 and NIST SP 800-53 may require updates to account for this novel OSINT vector.

Technical Analysis: How CVE-2025-3535 Works

Metadata Exposure Mechanisms

OWASP ZAP’s active scanner, when deployed against public Git repositories, parses HTTP responses and directory listings to extract metadata. The vulnerability arises from:

• Unprotected .git Directories: Even when repositories are cloned anonymously, ZAP’s crawler can access exposed .git/HEAD, .git/config, or .git/logs files if directory listing is enabled.
• Commit Hash Inference: ZAP’s forced browsing rules may trigger 404 responses that leak commit hashes (e.g., via diff endpoints or GitHub’s API mirroring).
• Contributor Attribution: Git’s reflog or contributor lists in commit messages (e.g., Signed-off-by) are harvested by ZAP’s passive scanner.

OWASP ZAP’s Default Configuration Pitfalls

The vulnerability is exacerbated by OWASP ZAP’s default settings:

• Spider Module: Aggressively crawls directories, including .git subdirectories, unless explicitly excluded.
• Active Scan Policies: Rules like "Directory Browsing" and "File Extension Handling" inadvertently expose metadata when misconfigured.
• CI/CD Integration: Tools like Jenkins or GitLab CI often use OWASP ZAP with minimal customization, enabling metadata leaks in automated workflows.

Real-World Exploitation Scenarios

Attackers can chain CVE-2025-3535 with other OSINT techniques:

• Supply Chain Attacks: Metadata from leaked commit hashes reveals dependency versions, enabling attackers to target outdated libraries.
• Social Engineering: Contributor names harvested from Git metadata are used to craft phishing emails (e.g., impersonating project maintainers).
• Intellectual Property Theft: File paths and commit diffs expose proprietary code paths, aiding competitors or nation-state actors.

Mitigation Strategies

Immediate Actions for Organizations

• Sanitize Metadata: Use tools like git filter-repo or BFG Repo-Cleaner to purge .git directories from public repositories.
• OWASP ZAP Hardening: Disable directory browsing and restrict spidering to non-.git paths. Customize active scan policies to avoid metadata exposure.
• CI/CD Controls: Implement pre-commit hooks (e.g., pre-commit framework) to strip metadata before pushing to public repos.
• Access Controls: Restrict OWASP ZAP scans to trusted networks and use authentication to limit metadata harvesting.

Long-Term OSINT Risk Management

• Metadata Policies: Adopt frameworks like OpenSSF Scorecard to audit repository metadata exposure.
• Developer Training: Educate teams on the risks of metadata leaks in public repositories and the limitations of traditional .gitignore rules.
• Tooling Updates: Advocate for OWASP ZAP plugins that detect and block metadata extraction during scans.

Recommendations for Security Teams

To address CVE-2025-3535, security teams should:

1. Audit Public Repositories: Use tools like git-secrets or AWS Git Secrets to scan for exposed metadata.
2. Implement Least Privilege: Restrict OWASP ZAP scans to specific endpoints and avoid public-facing repository URLs.
3. Leverage Git Host Protections: Enable GitHub’s "Private Vulnerability Reporting" or GitLab’s "Repository Access Tokens" to limit metadata exposure.
4. Monitor for OSINT Abuse: Deploy threat intelligence feeds to detect metadata harvesting attempts (e.g., unusual crawler activity).

FAQ

Does CVE-2025-3535 affect all public Git repositories?

No. The vulnerability primarily impacts repositories with exposed .git directories or misconfigured OWASP ZAP scans. Repositories hosted on platforms like GitHub with default protections (e.g., no directory listing) are less vulnerable, but metadata can still be exposed via commit hashes or contributor lists.

Can OWASP ZAP be configured to avoid metadata leaks?

Yes. Customize OWASP ZAP’s spider module to exclude .git paths and disable active scan rules that trigger directory browsing. Organizations should also use OWASP ZAP’s "Context" feature to define scope limitations.

What regulatory frameworks are impacted by this vulnerability?

CVE-2025-3535 may affect compliance with ISO 27001 (A.9.4.2), NIST SP 800-53 (SI-4), and GDPR (Article 32), as metadata leaks can constitute unauthorized data disclosure. Organizations should update risk assessments to include OSINT-driven threats.