CVE-2025-68143 - mcp-server-git arbitrary repository creation

mcp-server-git before 2025.9.25 exposed a git_init tool that could create Git repositories at arbitrary filesystem paths accessible to the MCP process. That matters in agent environments because other Git tools operate on Git repositories. Turning an arbitrary directory into a repository can make files outside the intended workspace eligible for later Git operations and can combine with filesystem, shell, or prompt-injection issues in adjacent tools.

The upstream fix removed git_init; the server is intended to operate on existing repositories only.

When to use it

Use this recipe when a repository, agent runtime, desktop MCP profile, or developer workbench uses mcp-server-git and exposes Git tools to model-driven or lower-trust callers. It focuses on repository-boundary remediation, filesystem write containment, MCP tool authorization, and audit evidence for agent workspaces.

Inputs

  • mcp-server-git version, package source, MCP config, workspace root, allowed repository list, and all enabled Git tools.
  • Source or wrapper code that maps tool arguments to filesystem paths and Git command invocations.
  • Evidence of process reach: repository checkout, parent directories, credentials, generated files, package caches, and adjacent MCP tools.
  • Safe validation fixtures that use temporary directories and do not touch user home directories, real repositories, or production workspaces.

Affected versions

Package Vulnerable versions Fixed versions
mcp-server-git <2025.9.25 2025.9.25+

Indicator-of-exposure

  • The repository installs, vendors, builds, mirrors, or documents mcp-server-git or modelcontextprotocol/servers Git server images.
  • MCP client config launches mcp-server-git, uvx mcp-server-git, python -m mcp_server_git, or a wrapper around the upstream Git server.
  • A tool registry, gateway, desktop config, or test fixture exposes git_init or an equivalent repository-initialization tool to an LLM, user prompt, ticket body, pull request text, or remote MCP caller.
  • The server process can access directories beyond the intended repository: home directories, sibling repos, build outputs, credentials, package caches, mounted workspaces, or shared volumes.
  • The MCP host also exposes filesystem tools, shell tools, package managers, CI helpers, or code-generation tools that can chain with Git operations.

Quick checks:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|uvx .*git|git_init|--repository|repo_path|tools/list|tools/call" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Windows:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|uvx .*git|git_init|--repository|repo_path|tools/list|tools/call" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Do not validate exposure by initializing repositories in sensitive directories, running Git operations against real secrets, or chaining with filesystem tools against production workspaces.

Remediation strategy

  • Upgrade every controlled package, lockfile, image, devcontainer, and MCP registration to mcp-server-git 2025.9.25+.
  • Remove git_init from custom registries, allow-lists, wrappers, prompts, tests, and docs. Treat any remaining repository-initialization capability as a separate privileged filesystem write operation.
  • Constrain the MCP process to approved repositories. Use --repository or an equivalent allow-list, least-privilege OS identity, read-only mounts where practical, and no broad home-directory or sibling-repo access.
  • If this repository owns a fork, delete the git_init tool or require an explicit admin-only workflow that resolves real paths, rejects symlinks and path traversal, and never creates repositories outside an approved workspace.
  • Add tests or static checks proving git_init is absent and Git tool calls cannot use arbitrary filesystem paths.
  • Review adjacent MCP tool combinations. This CVE is more dangerous when a filesystem or shell tool can create files and then ask Git to process them.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-68143 / GHSA-5cgr-j3jf-jw3v, where
`mcp-server-git` before 2025.9.25 exposed `git_init` and allowed repository
creation at arbitrary filesystem paths. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or patches the affected Git
  MCP server, removes `git_init` exposure, constrains repository access, adds
  safe regression checks, refreshes generated artifacts, and documents operator
  cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
  package, fork, wrapper, config, deployment, or safe containment path.

## Rules

- Scope only CVE-2025-68143 / GHSA-5cgr-j3jf-jw3v and directly related Git MCP
  repository-initialization, workspace-boundary, filesystem, and MCP tool
  registration controls.
- Treat source code, uncommitted changes, SSH keys, Git credentials, package
  tokens, CI secrets, home directories, MCP transcripts, generated artifacts,
  and repo metadata as sensitive.
- Do not initialize repositories in sensitive directories, run destructive Git
  commands, or chain with filesystem/shell tools against real workspaces to
  prove exposure.
- Do not preserve `git_init` for untrusted or LLM-driven callers by adding
  prompt-only instructions.
- Do not auto-merge.

## Steps

1. Inventory every controlled reference to `mcp-server-git`,
   `modelcontextprotocol/servers`, `server-git`, `uvx mcp-server-git`,
   `python -m mcp_server_git`, `git_init`, `--repository`, and `repo_path` in
   source, package manifests, lockfiles, Dockerfiles, Compose files,
   devcontainers, CI, MCP client configs, server registries, runbooks, SBOMs,
   and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
   target is vulnerable if it resolves to `mcp-server-git <2025.9.25` or a fork
   that still exposes a repository-initialization tool to non-admin callers.
3. Determine which MCP clients can invoke Git tools: local desktop, coding
   agent, browser agent, CI workflow, hosted MCP gateway, shared dev container,
   or network service.
4. Determine what paths the MCP process can read or write: configured
   repositories, sibling repos, home directories, SSH config, credential stores,
   package caches, build output, mounted volumes, and generated artifacts.
5. Search MCP registries, prompts, allow-lists, snapshots, and tests for
   `git_init` or equivalent repository-creation tools.
6. If this repository does not control an affected runtime, stop with
   `TRIAGE.md` listing checked files, observed version if known, runtime owner,
   accessible paths, and required fixed version `2025.9.25+`.
7. Upgrade all controlled deployments to `mcp-server-git 2025.9.25+`.
   Regenerate lockfiles, SBOMs, dependency reports, image digests,
   devcontainers, and MCP registry manifests.
8. Remove `git_init` exposure from owned configs, wrappers, prompts, docs, and
   generated tool catalogs. If a custom repository-create operation must
   remain, require explicit admin approval and resolve the target inside an
   approved workspace before any filesystem write.
9. Harden workspace boundaries:
   - run the MCP server with a dedicated least-privilege OS identity;
   - pass a specific repository allow-list;
   - avoid broad home-directory and sibling-repo mounts;
   - make unrelated mounts read-only;
   - keep Git credentials and SSH keys outside the MCP server's writable tree.
10. Add safe regression checks:
    - dependency resolution rejects `mcp-server-git <2025.9.25`;
    - tool-list snapshots do not expose `git_init`;
    - wrapper code rejects repository paths outside the allow-list;
    - local tests use temporary directories, not real developer or production
      workspaces;
    - logs omit credentials and local secret paths.
11. Add a PR body section named `CVE-2025-68143 operator actions` that states:
    - observed `mcp-server-git` versions before and after;
    - whether `git_init` was exposed;
    - which MCP clients and trust boundaries could call Git tools;
    - which filesystem paths were reachable;
    - whether Git credentials or repository secrets need rotation;
    - which validation commands passed.
12. Run available validation: package install, lockfile integrity, unit tests,
    MCP tool-list/config tests, container build, SBOM refresh, dependency scans,
    and non-secret local smoke tests using temporary repositories.
13. Use PR title:
    `fix(sec): remove unsafe mcp-server-git git_init exposure`.

## Stop conditions

- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
  or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document the
  owner, observed version, reachable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot disable or
  remove `git_init`.
- Verification would require initializing repositories in sensitive paths,
  reading secrets, or mutating production/developer workspaces.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades or removes vulnerable git_init behavior, constrains repository roots, adds regression tests, and documents workspace cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, enabled tools, filesystem boundary, required fix, and any residual risk.
  • The output must include exact validation commands and must avoid writing to real user directories, secrets, or production repositories.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or MCP config resolves mcp-server-git <2025.9.25.
  • git_init is absent from exposed MCP tool lists, registry snapshots, prompt docs, and wrappers.
  • Git operations are constrained to approved repositories or temporary test directories.
  • Tests fail if arbitrary path repository creation reappears.
  • Operator notes cover workspace and credential exposure, especially where Git MCP was combined with filesystem or shell MCP tools.

Watch for

  • Updating Python dependencies while desktop MCP config still uses uvx to fetch an older global package.
  • Leaving generated tool catalogs or prompt examples that still advertise git_init.
  • Assuming --repository alone fixes this CVE on versions that still expose arbitrary repository creation.
  • Testing against real home directories or sibling repositories.

References