CVE-2025-68143

MEDIUM
2025-12-17 [email protected]
Path Traversal Model Context Protocol Servers
6.5
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 14, 2026 - 15:48 vuln.today

DescriptionNVD

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue.

AnalysisAI

Unvalidated path handling in mcp-server-git versions before 2025.9.25 allows remote attackers to create Git repositories in arbitrary filesystem locations accessible to the server process via the git_init tool, potentially enabling subsequent malicious git operations on unintended directories. The git_init tool was completely removed in the patched version since the server is designed to operate only on existing repositories. No active exploitation has been confirmed, but the vulnerability carries a moderate CVSS score of 6.5 with network accessibility and high scope impact.

Technical ContextAI

The Model Context Protocol (MCP) is a framework enabling AI models to interact with external systems through structured tool interfaces. mcp-server-git is a reference implementation providing git operation capabilities to MCP clients. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where the git_init tool performed no validation of the filesystem path argument before invoking git repository initialization. Unlike other MCP git tools that required operating on pre-existing repositories (implying path constraints), git_init accepted any accessible path and created repositories there, expanding the attack surface. The affected CPE is lfprojects:model_context_protocol_servers, with all versions prior to 2025.9.25 vulnerable. The root cause is insufficient input validation on user-controlled filesystem paths passed to system commands.

RemediationAI

Vendor-released patch: Model Context Protocol Servers version 2025.9.25 or newer. The primary remediation is to upgrade mcp-server-git to version 2025.9.25 or later, which removes the git_init tool entirely since it is inconsistent with the server's design principle of operating on existing repositories only. Users should review their deployment to confirm they are running the patched version. If immediate upgrade is not feasible, restrict network access to the mcp-server-git instance to trusted MCP clients only, and ensure the server process runs with minimal filesystem permissions (principle of least privilege), limiting write access to directories that should legitimately contain Git repositories. For additional details and to verify the patch, consult the upstream fix commit at https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6 and the security advisory at https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v.

Share

CVE-2025-68143 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy