CVE-2025-68145 Overview
CVE-2025-68145 is a path traversal vulnerability [CWE-22] in mcp-server-git, a Model Context Protocol (MCP) server maintained by the LF Projects modelcontextprotocol/servers repository. When operators start the server with the --repository flag to confine operations to a single repository, the server fails to validate that repo_path arguments in subsequent tool calls remain inside the configured directory. An attacker who can issue tool calls to the server can target other repositories accessible to the server process, bypassing the intended sandbox. The issue is fixed in version 2025.12.17.
Critical Impact
Tool calls can operate on Git repositories outside the configured --repository path, breaking the boundary that operators rely on to isolate MCP-driven Git operations.
Affected Products
- modelcontextprotocol/servers — mcp-server-git versions prior to 2025.12.17
- Deployments launching mcp-server-git with the --repository flag for path confinement
- LF Projects Model Context Protocol Servers distribution
Discovery Timeline
- 2025-12-17 - CVE-2025-68145 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2025-68145
Vulnerability Analysis
The mcp-server-git component exposes Git operations as MCP tool calls that AI agents and other MCP clients can invoke. Operators commonly pass --repository <path> at startup to limit the server to a single working tree. The server stores this path but does not re-check it against the repo_path argument supplied in each tool invocation. As a result, a client can submit any filesystem path the server process can read or write, and Git operations execute against that target. This breaks the trust boundary that operators use when exposing an MCP endpoint to less-trusted LLM agents or shared environments.
Root Cause
The root cause is missing path containment validation [CWE-22]. The server accepts the repo_path argument and uses it directly without resolving symbolic links or verifying that the canonical path is a descendant of the configured --repository path. The patch in 2025.12.17 resolves both the configured repository and the requested path, follows symlinks, and rejects any request whose resolved target lies outside the allowed root before running Git commands.
Attack Vector
Exploitation requires the attacker to reach the MCP server's tool-call interface, typically through an MCP client or an LLM agent the server trusts. The attacker invokes a Git tool such as a status, log, or write operation with a repo_path pointing to an arbitrary location, for example /home/user/other-repo or a path linked through a symlink that escapes the configured directory. Because the server does not validate containment, the operation executes against the chosen path and returns repository contents or applies modifications. User interaction with an agent that relays the malicious tool call is the typical trigger.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-j22h-9j4x-23w5 for advisory details.
Detection Methods for CVE-2025-68145
Indicators of Compromise
- Tool-call logs from mcp-server-git containing repo_path values that resolve outside the directory passed to --repository.
- Git operations executing against repositories the operator did not intend to expose to the MCP client.
- Symlinks inside the configured repository pointing to external paths, used to bypass naive prefix checks.
Detection Strategies
- Audit mcp-server-git request logs and compare each repo_path argument to the canonical --repository path after resolving symlinks.
- Inventory running mcp-server-git processes and confirm the installed version is 2025.12.17 or later using package manifests or pip show mcp-server-git.
- Review MCP client transcripts for tool invocations that reference absolute paths or .. sequences outside the expected working tree.
Monitoring Recommendations
- Forward MCP server stdout, stderr, and access logs to a central log store and alert on repo_path values that do not share a prefix with the configured root.
- Monitor filesystem activity by the mcp-server-git process for reads or writes outside the intended repository directory.
- Track Git command execution by the server process and correlate with originating MCP client identity for anomaly review.
How to Mitigate CVE-2025-68145
Immediate Actions Required
- Upgrade mcp-server-git to version 2025.12.17 or later on all hosts running the server.
- Restart any long-running MCP server processes after the upgrade to load the patched validation logic.
- Review the privileges of the user account running mcp-server-git and remove access to any repositories that should not be reachable.
Patch Information
The fix is shipped in mcp-server-git version 2025.12.17. The patch resolves both the configured repository path and the requested repo_path, follows symlinks during resolution, and rejects requests whose canonical path is not a descendant of the configured repository before executing Git operations. Refer to the GitHub Security Advisory GHSA-j22h-9j4x-23w5 for release details.
Workarounds
- Run mcp-server-git under a dedicated low-privilege user whose filesystem access is limited to the single intended repository.
- Place the server inside a container, chroot, or sandbox that exposes only the allowed repository path to the process.
- Restrict network exposure of the MCP endpoint to trusted clients and require authentication on the transport layer until patching is complete.
# Upgrade mcp-server-git to the patched release
pip install --upgrade 'mcp-server-git>=2025.12.17'
# Verify installed version
pip show mcp-server-git | grep -i version
# Example: launch the server confined to a single repository
mcp-server-git --repository /srv/git/allowed-repo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
