CVE-2025-68145
mcp-server-git has missing path validation when using --repository flag
Description
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue.
INFO
Published Date :
Dec. 17, 2025, 11:16 p.m.
Last Modified :
April 14, 2026, 3:13 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2025-68145
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | MEDIUM | [email protected] |
Solution
- Upgrade mcp-server-git to version 2025.12.17.
- Ensure repository paths are validated before use.
Public PoC/Exploit Available at Github
CVE-2025-68145 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-68145.
| URL | Resource |
|---|---|
| https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-68145 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-68145
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Security gateway for MCP traffic. 5 built-in rules block prompt injection, credential leakage, path traversal, cross-repo exfiltration, and destructive commands. One pip install, zero config.
mcp security python proxy claude ai-agents prompt-injection self-hosted model-context-protocol llm-security ai-security cursor security-tools path-traversal credential-leakage
Python
A transparent inspection proxy for LLM API traffic and MCP tool call flows
The most comprehensive LLM + MCP security guide i.e. OWASP aligned, real CVEs, actionable checklists
ai-security claude cybersecurity generative-ai infosec jailbreak langchain llm-security mcp-security openai owasp prompt-injection red-teaming
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
ai-agent-security ai-agents ai-security awesome-list cybersecurity llm-security mcp-security prompt-injection supply-chain-security adversarial-attacks agent-security agentic-ai ai-attacks ai-safety cve incident-response owasp red-team security-research vulnerability
Runtime security proxy for MCP servers — the open-source firewall between AI agents and tools
Dockerfile Go
None
Rust Python
ESLint security rules for MCP servers — catches SANDWORM_MODE credential harvesting, path traversal, command injection, and CVE patterns at dev time
eslint eslint-plugin mcp security supply-chain
TypeScript JavaScript
Zero-dependency MCP security linter — 54 OWASP-mapped checks, 56 malicious packages, 28 CVEs. pip install mcp-config-guard
ai-safety claude-code linter mcp model-context-protocol owasp python sarif security vulnerability-scanner
Python
Supply chain security scanner for MCP servers. Detect typosquats, CVEs, credential leaks, and dangerous permissions in your AI agent configs.
JavaScript
mcp scanner
Python Shell
Antivirus for AI coding agents. Scan your machine, map which AI tools can reach your secrets, block threats before they happen.
ai-agents ai-safety bash claude-code credential-scanning llm owasp security
Shell JavaScript TypeScript
Policy-as-code enforcement and observability for MCP tool calls. Wraps AI agent sessions with cryptographic integrity checks, argument-level CEL policies, and a full audit trail.
ai security mcp-client mcp agentic-ai ai-security firewall llm-security mcp-security model-context-protocol prompt-injection tool-poisoning
Python YARA
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-68145 vulnerability anywhere in the article.
-
CybersecurityNews
Multiple 0-day Vulnerabilities in Anthropic Git MCP Server Enables Code Execution
Three zero-day vulnerabilities in mcp-server-git, the reference implementation of Git integration for the Model Context Protocol (MCP). The flaws stem from insufficient input validation and argument s ... Read more
-
The Hacker News
Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution
A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete ar ... Read more
-
The Register
Anthropic quietly fixed flaws in its Git MCP server that allowed for remote code execution
Anthropic has fixed three bugs in its official Git MCP server that researchers say can be chained with other MCP tools to remotely execute malicious code or overwrite files via prompt injection. The G ... Read more
The following table lists the changes that have been made to the
CVE-2025-68145 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 14, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Added CPE Configuration OR *cpe:2.3:a:lfprojects:model_context_protocol_servers:*:*:*:*:*:*:*:* versions up to (excluding) 2025.12.18 Added Reference Type GitHub, Inc.: https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5 Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 17, 2025
Action Type Old Value New Value Added Description In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-22 Added Reference https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5