CVE-2025-68143 - mcp-server-git arbitrary repository creation
mcp-server-git before 2025.9.25 exposed a git_init tool that could create
Git repositories at arbitrary filesystem paths accessible to the MCP process.
That matters in agent environments because other Git tools operate on Git
repositories. Turning an arbitrary directory into a repository can make files
outside the intended workspace eligible for later Git operations and can combine
with filesystem, shell, or prompt-injection issues in adjacent tools.
The upstream fix removed git_init; the server is intended to operate on
existing repositories only.
When to use it
Use this recipe when a repository, agent runtime, desktop MCP profile, or
developer workbench uses mcp-server-git and exposes Git tools to model-driven
or lower-trust callers. It focuses on repository-boundary remediation,
filesystem write containment, MCP tool authorization, and audit evidence for
agent workspaces.
Inputs
mcp-server-gitversion, package source, MCP config, workspace root, allowed repository list, and all enabled Git tools.- Source or wrapper code that maps tool arguments to filesystem paths and Git command invocations.
- Evidence of process reach: repository checkout, parent directories, credentials, generated files, package caches, and adjacent MCP tools.
- Safe validation fixtures that use temporary directories and do not touch user home directories, real repositories, or production workspaces.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
mcp-server-git |
<2025.9.25 |
2025.9.25+ |
Indicator-of-exposure
- The repository installs, vendors, builds, mirrors, or documents
mcp-server-gitormodelcontextprotocol/serversGit server images. - MCP client config launches
mcp-server-git,uvx mcp-server-git,python -m mcp_server_git, or a wrapper around the upstream Git server. - A tool registry, gateway, desktop config, or test fixture exposes
git_initor an equivalent repository-initialization tool to an LLM, user prompt, ticket body, pull request text, or remote MCP caller. - The server process can access directories beyond the intended repository: home directories, sibling repos, build outputs, credentials, package caches, mounted workspaces, or shared volumes.
- The MCP host also exposes filesystem tools, shell tools, package managers, CI helpers, or code-generation tools that can chain with Git operations.
Quick checks:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|uvx .*git|git_init|--repository|repo_path|tools/list|tools/call" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Windows:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|uvx .*git|git_init|--repository|repo_path|tools/list|tools/call" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Do not validate exposure by initializing repositories in sensitive directories, running Git operations against real secrets, or chaining with filesystem tools against production workspaces.
Remediation strategy
- Upgrade every controlled package, lockfile, image, devcontainer, and MCP
registration to
mcp-server-git 2025.9.25+. - Remove
git_initfrom custom registries, allow-lists, wrappers, prompts, tests, and docs. Treat any remaining repository-initialization capability as a separate privileged filesystem write operation. - Constrain the MCP process to approved repositories. Use
--repositoryor an equivalent allow-list, least-privilege OS identity, read-only mounts where practical, and no broad home-directory or sibling-repo access. - If this repository owns a fork, delete the
git_inittool or require an explicit admin-only workflow that resolves real paths, rejects symlinks and path traversal, and never creates repositories outside an approved workspace. - Add tests or static checks proving
git_initis absent and Git tool calls cannot use arbitrary filesystem paths. - Review adjacent MCP tool combinations. This CVE is more dangerous when a filesystem or shell tool can create files and then ask Git to process them.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-68143 / GHSA-5cgr-j3jf-jw3v, where
`mcp-server-git` before 2025.9.25 exposed `git_init` and allowed repository
creation at arbitrary filesystem paths. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades or patches the affected Git
MCP server, removes `git_init` exposure, constrains repository access, adds
safe regression checks, refreshes generated artifacts, and documents operator
cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
package, fork, wrapper, config, deployment, or safe containment path.
## Rules
- Scope only CVE-2025-68143 / GHSA-5cgr-j3jf-jw3v and directly related Git MCP
repository-initialization, workspace-boundary, filesystem, and MCP tool
registration controls.
- Treat source code, uncommitted changes, SSH keys, Git credentials, package
tokens, CI secrets, home directories, MCP transcripts, generated artifacts,
and repo metadata as sensitive.
- Do not initialize repositories in sensitive directories, run destructive Git
commands, or chain with filesystem/shell tools against real workspaces to
prove exposure.
- Do not preserve `git_init` for untrusted or LLM-driven callers by adding
prompt-only instructions.
- Do not auto-merge.
## Steps
1. Inventory every controlled reference to `mcp-server-git`,
`modelcontextprotocol/servers`, `server-git`, `uvx mcp-server-git`,
`python -m mcp_server_git`, `git_init`, `--repository`, and `repo_path` in
source, package manifests, lockfiles, Dockerfiles, Compose files,
devcontainers, CI, MCP client configs, server registries, runbooks, SBOMs,
and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
target is vulnerable if it resolves to `mcp-server-git <2025.9.25` or a fork
that still exposes a repository-initialization tool to non-admin callers.
3. Determine which MCP clients can invoke Git tools: local desktop, coding
agent, browser agent, CI workflow, hosted MCP gateway, shared dev container,
or network service.
4. Determine what paths the MCP process can read or write: configured
repositories, sibling repos, home directories, SSH config, credential stores,
package caches, build output, mounted volumes, and generated artifacts.
5. Search MCP registries, prompts, allow-lists, snapshots, and tests for
`git_init` or equivalent repository-creation tools.
6. If this repository does not control an affected runtime, stop with
`TRIAGE.md` listing checked files, observed version if known, runtime owner,
accessible paths, and required fixed version `2025.9.25+`.
7. Upgrade all controlled deployments to `mcp-server-git 2025.9.25+`.
Regenerate lockfiles, SBOMs, dependency reports, image digests,
devcontainers, and MCP registry manifests.
8. Remove `git_init` exposure from owned configs, wrappers, prompts, docs, and
generated tool catalogs. If a custom repository-create operation must
remain, require explicit admin approval and resolve the target inside an
approved workspace before any filesystem write.
9. Harden workspace boundaries:
- run the MCP server with a dedicated least-privilege OS identity;
- pass a specific repository allow-list;
- avoid broad home-directory and sibling-repo mounts;
- make unrelated mounts read-only;
- keep Git credentials and SSH keys outside the MCP server's writable tree.
10. Add safe regression checks:
- dependency resolution rejects `mcp-server-git <2025.9.25`;
- tool-list snapshots do not expose `git_init`;
- wrapper code rejects repository paths outside the allow-list;
- local tests use temporary directories, not real developer or production
workspaces;
- logs omit credentials and local secret paths.
11. Add a PR body section named `CVE-2025-68143 operator actions` that states:
- observed `mcp-server-git` versions before and after;
- whether `git_init` was exposed;
- which MCP clients and trust boundaries could call Git tools;
- which filesystem paths were reachable;
- whether Git credentials or repository secrets need rotation;
- which validation commands passed.
12. Run available validation: package install, lockfile integrity, unit tests,
MCP tool-list/config tests, container build, SBOM refresh, dependency scans,
and non-secret local smoke tests using temporary repositories.
13. Use PR title:
`fix(sec): remove unsafe mcp-server-git git_init exposure`.
## Stop conditions
- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document the
owner, observed version, reachable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot disable or
remove `git_init`.
- Verification would require initializing repositories in sensitive paths,
reading secrets, or mutating production/developer workspaces.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades or removes vulnerable
git_initbehavior, constrains repository roots, adds regression tests, and documents workspace cleanup. - Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, enabled tools, filesystem boundary, required fix, and any residual risk. - The output must include exact validation commands and must avoid writing to real user directories, secrets, or production repositories.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or MCP config resolves
mcp-server-git <2025.9.25. git_initis absent from exposed MCP tool lists, registry snapshots, prompt docs, and wrappers.- Git operations are constrained to approved repositories or temporary test directories.
- Tests fail if arbitrary path repository creation reappears.
- Operator notes cover workspace and credential exposure, especially where Git MCP was combined with filesystem or shell MCP tools.
Watch for
- Updating Python dependencies while desktop MCP config still uses
uvxto fetch an older global package. - Leaving generated tool catalogs or prompt examples that still advertise
git_init. - Assuming
--repositoryalone fixes this CVE on versions that still expose arbitrary repository creation. - Testing against real home directories or sibling repositories.
Related recipes
- Source code attack surface map
- Source code supply chain build integrity audit
- Source code authz tenant boundary audit
- SAST finding triage and fix