CVE-2025-68144
📋 TL;DR
This vulnerability in mcp-server-git allows attackers to pass malicious arguments that get interpreted as command-line flags to git commands, enabling arbitrary file overwrites. Users of mcp-server-git versions before 2025.12.17 who expose git_diff or git_checkout functionality to untrusted input are affected.
💻 Affected Systems
- mcp-server-git
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file overwrite leading to privilege escalation, data destruction, or remote code execution by overwriting critical system files.
Likely Case
Data corruption or loss through overwriting application files, configuration files, or user data in the context of the running process.
If Mitigated
Limited impact if proper input validation and least privilege principles are followed, restricting the process to non-critical directories.
🎯 Exploit Status
Exploitation requires the ability to pass arguments to vulnerable functions. No authentication bypass is needed if these functions are exposed without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.12.17
Vendor Advisory: https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59
Restart Required: Yes
Instructions:
1. Update mcp-server-git to version 2025.12.17 or later. 2. Restart the mcp-server-git service. 3. Verify the fix by testing with malicious inputs.
🔧 Temporary Workarounds
Input Validation Wrapper
allAdd custom validation to reject arguments starting with hyphens before passing to git_diff/git_checkout functions
# Implement input validation in your application code to reject arguments starting with '-'
Function Restriction
allDisable or restrict access to git_diff and git_checkout functions if not required
# Modify configuration to disable vulnerable endpoints or restrict access to trusted users only
🧯 If You Can't Patch
- Implement strict input validation at the application layer to reject any arguments starting with hyphens
- Run mcp-server-git with minimal privileges and restrict filesystem access using chroot, containers, or filesystem permissions
🔍 How to Verify
Check if Vulnerable:
Check if your mcp-server-git version is earlier than 2025.12.17 and if git_diff/git_checkout functions accept user inputCheck Version:
Check package version or consult application documentation for version informationVerify Fix Applied:
Test with arguments starting with hyphens (e.g., '--output=/etc/passwd') - these should be rejected in patched versions📡 Detection & Monitoring
Log Indicators:
- Unusual git commands with flag-like arguments in application logs
- Failed file operations or permission errors from unexpected paths
Network Indicators:
- Unusual patterns of requests to git_diff/git_checkout endpoints with suspicious parameters
SIEM Query:
Search for application logs containing 'git_diff' or 'git_checkout' with arguments starting with hyphens