CVE-2025-68145

MEDIUM
2025-12-17 [email protected]
Path Traversal Model Context Protocol Servers
6.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 14, 2026 - 15:26 vuln.today

DescriptionNVD

In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue.

AnalysisAI

Path traversal in mcp-server-git prior to version 2025.12.17 allows unauthenticated remote attackers to access repositories outside the configured repository restriction via unvalidated repo_path arguments in tool calls. When the server is started with the --repository flag to isolate operations to a specific path, the application failed to verify that subsequent tool call arguments remained within that allowed directory, enabling access to other repositories on the same system. An attacker with network access and user interaction (UI:P) can exploit this to read or modify git repositories beyond the intended scope.

Technical ContextAI

mcp-server-git is a Model Context Protocol (MCP) server implementation that exposes git operations as callable tools. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) occurs because the server accepts repo_path arguments in tool calls without canonical path validation against the configured --repository restriction. The vulnerability arises from insufficient path normalization and traversal checks; even when symlink resolution is performed, the code failed to verify that the resolved path remained within the allowed directory boundary. This is a classic path traversal flaw where user-controlled path inputs bypass directory confinement checks, allowing attackers to access sibling or parent directories containing other git repositories.

RemediationAI

Upgrade mcp-server-git to version 2025.12.17 or later, which includes path validation that resolves both the configured repository and requested paths (following symlinks) and verifies the requested path is within the allowed repository before executing git operations. If immediate patching is not possible, operators should restrict network access to the mcp-server-git service to trusted clients only, ensure the server process runs with minimal necessary file system permissions, and avoid exposing the --repository flag-configured instances to untrusted users. Verify the upgrade by checking the installed version and reviewing the security advisory at https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5 for detailed changelog information.

Share

CVE-2025-68145 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy