CVE-2025-68144

MEDIUM
2025-12-17 [email protected]
Information Disclosure Model Context Protocol Servers
6.3
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 14, 2026 - 15:48 vuln.today

DescriptionNVD

In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., --output=/path/to/file for git_diff) would be interpreted as command-line options rather than git refs, enabling arbitrary file overwrites. The fix adds validation that rejects arguments starting with - and verifies the argument resolves to a valid git ref via rev_parse before execution. Users are advised to update to 2025.12.17 resolve this issue when it is released.

AnalysisAI

Arbitrary file overwrite in mcp-server-git prior to version 2025.12.17 allows unauthenticated remote attackers with user interaction to overwrite files via unsanitized command-line arguments passed to git CLI functions. The vulnerability affects git_diff and git_checkout operations where flag-like values (e.g., --output=/path/to/file) are interpreted as git options rather than validated references, enabling attackers to redirect output to arbitrary filesystem locations. CVSS 6.3 reflects high integrity impact with low availability impact; EPSS signal and active exploitation status not independently confirmed at analysis time.

Technical ContextAI

mcp-server-git is a Model Context Protocol (MCP) server implementation that exposes git operations through a structured interface. The vulnerability stems from CWE-88 (Improper Neutralization of Argument Delimiters in a Command), where the git_diff and git_checkout functions construct git CLI commands using unsanitized user input. The git command-line parser interprets arguments beginning with a hyphen (-) as options; an attacker providing input such as --output=/tmp/malicious.txt causes git to write output to that path instead of treating it as a git reference. The rev_parse command is the legitimate mechanism to validate that a string resolves to a valid git ref; the fix adds this validation plus argument prefix filtering to reject option-like inputs before command execution.

RemediationAI

Vendor-released patch: mcp-server-git 2025.12.17. Users must update to version 2025.12.17 or later, which adds input validation that rejects arguments starting with a hyphen and verifies arguments resolve to valid git refs via rev_parse before passing to git CLI. No workarounds are documented for earlier versions; immediate upgrade is the sole mitigation. Installation and upgrade instructions are available in the official repository and GitHub Security Advisory at https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59.

Share

CVE-2025-68144 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy