Path Traversal Vulnerability in mcp-server-git by Model Context Protocol
CVE-2025-68145

6.4MEDIUM

Key Information:

Vendor: Modelcontextprotocol
Status: Servers
Vendor: CVE Published:; 17 December 2025

🔔 Create Modelcontextprotocol Vulnerability Alert

What is CVE-2025-68145?

A path traversal vulnerability exists in the mcp-server-git when launched with the --repository flag, allowing unauthorized access to other repositories on the server. The issue arises from a failure to validate that paths for subsequent tool calls are restricted to the specified repository. This oversight permits potential operations on unintended repositories. A recent update introduces robust path validation, ensuring that all requested paths align with the permitted repository path. Users are recommended to upgrade to version 2025.12.17 to mitigate this security risk effectively.

Affected Version(s)

servers < 2025.12.17

References

https://github.com/modelcontextprotocol/servers/security/...

x_refsource_CONFIRM

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 17, 2025
Vulnerability Reserved
Dec 15, 2025

JSON