CVE-2025-68144 - mcp-server-git diff and checkout argument injection

mcp-server-git before 2025.12.18 passed user-controlled git_diff and git_checkout arguments directly to Git CLI commands. Values that looked like Git options could be interpreted by the CLI instead of being treated as refs, allowing local file overwrites or unintended checkout behavior in the MCP server’s process context.

In agent environments, a “local file overwrite” can still be a serious control failure. The MCP server often runs next to repository credentials, generated code, CI files, prompt/tool manifests, package caches, and other tools that may consume files after Git writes them.

When to use it

Use this recipe when a repository, desktop MCP profile, agent runtime, or developer workbench uses mcp-server-git and exposes git_diff or git_checkout to model-driven or lower-trust callers. It focuses on argument injection remediation, Git CLI hardening, repository containment, and audit evidence for safe agent file operations.

Inputs

  • mcp-server-git version, package source, MCP config, enabled Git tools, and allowed repository roots.
  • Source or wrapper code that passes refs, paths, branches, or checkout/diff arguments to Git CLI commands.
  • Regression fixtures for option-looking refs, pathspec separators, branch names, and repository-root escapes using only temporary repositories.
  • Evidence of process reach: repository contents, generated files, CI config, credentials, package caches, and downstream tools that consume Git output.

Affected versions

Package Vulnerable versions Fixed versions
mcp-server-git <2025.12.18 2025.12.18+

Indicator-of-exposure

  • The repository installs, vendors, builds, mirrors, or documents mcp-server-git or modelcontextprotocol/servers Git server images.
  • MCP client config, hosted gateways, CI jobs, devcontainers, or desktop agent configs expose Git tools to LLM-directed or remote callers.
  • Tool calls can provide refs, branch names, revisions, or paths to git_diff, git_checkout, wrappers, or generated tool catalogs.
  • Source or vendored code constructs Git CLI calls from tool arguments without validating that refs do not start with a dash and resolve through rev-parse.
  • The MCP process can write to source files, hooks, package manager scripts, CI files, generated artifacts, or other files later executed by agents/builds.

Quick checks:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|git_diff|git_checkout|rev_parse|rev-parse|subprocess|create_subprocess|--repository|repo_path" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Windows:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|git_diff|git_checkout|rev_parse|rev-parse|subprocess|create_subprocess|--repository|repo_path" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Do not validate exposure by asking a live MCP server to overwrite files, change branches, edit hooks, or run Git commands against real repositories.

Remediation strategy

  • Upgrade every controlled dependency, lockfile, image, devcontainer, and MCP registration to mcp-server-git 2025.12.18+.
  • If this repository owns a fork or wrapper, add a single ref-validation helper used by git_diff, git_checkout, and any custom Git command wrapper: reject dash-prefixed values, reject path traversal, resolve refs with Git, and pass explicit argv arrays with option terminators where appropriate.
  • Keep Git MCP operations inside approved repositories. Pair this remediation with the --repository path-validation fix in 2025.12.18+.
  • Run MCP with least privilege and avoid writable access to credentials, hooks, CI config, package scripts, release metadata, and generated deployment files unless the tool’s job explicitly requires it.
  • Add safe tests that mock Git execution or use temporary repositories. Assert accepted refs become argv elements, not shell strings, and rejected refs never reach Git execution.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-68144 / GHSA-9xwc-hfwc-8w59, an argument
injection issue in `mcp-server-git` before 2025.12.18 where `git_diff` and
`git_checkout` could treat user-controlled ref values as Git CLI options.
Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or patches the affected Git
  MCP server, validates refs before Git CLI execution, prevents arbitrary file
  writes, adds safe regression checks, refreshes generated artifacts, and
  documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
  package, fork, wrapper, config, deployment, or safe containment path.

## Rules

- Scope only CVE-2025-68144 / GHSA-9xwc-hfwc-8w59 and directly related Git MCP
  argument validation, arbitrary-write, workspace-boundary, and MCP tool
  registration controls.
- Treat source code, Git hooks, uncommitted changes, credentials, package
  tokens, CI config, MCP transcripts, generated artifacts, and local paths as
  sensitive.
- Do not run file-overwrite probes, branch-changing commands, or destructive
  Git commands against production, shared, or developer repositories.
- Do not replace Git argument validation with prompt instructions or UI-only
  warnings.
- Do not auto-merge.

## Steps

1. Inventory every controlled reference to `mcp-server-git`,
   `modelcontextprotocol/servers`, `server-git`, `git_diff`, `git_checkout`,
   `rev_parse`, `rev-parse`, `--repository`, and `repo_path` in source, package
   manifests, lockfiles, Dockerfiles, Compose files, devcontainers, CI, MCP
   client configs, server registries, runbooks, SBOMs, and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
   target is vulnerable if it resolves to `mcp-server-git <2025.12.18` or a
   fork/wrapper that passes caller-controlled refs to Git without rejecting
   dash-prefixed options and validating refs.
3. Determine which MCP clients can invoke Git tools and whether those callers
   include LLM output, issue/PR text, chat users, browser agents, CI workflows,
   shared workspaces, or network clients.
4. Determine what the Git MCP process can write: source files, Git hooks,
   package scripts, config files, CI workflows, generated artifacts, caches, and
   release metadata.
5. If this repository does not control an affected runtime, stop with
   `TRIAGE.md` listing checked files, observed version if known, runtime owner,
   writable paths, and required fixed version `2025.12.18+`.
6. Upgrade all controlled deployments to `mcp-server-git 2025.12.18+`.
   Regenerate lockfiles, SBOMs, dependency reports, image digests,
   devcontainers, MCP registry snapshots, and generated docs.
7. For owned forks or wrappers, implement the fixed code shape:
   - use structured argv execution, not shell strings;
   - reject ref arguments that start with `-`;
   - resolve candidate refs with Git before passing them to `diff` or
     `checkout`;
   - reject path traversal and absolute paths where a ref is expected;
   - use a shared validation helper for every Git tool that accepts refs;
   - redact refs and paths in errors when they may contain secrets.
8. Harden workspace boundaries:
   - constrain Git tools to approved repositories;
   - run with a low-privilege OS identity;
   - avoid writable access to hooks, CI config, package scripts, and secret
     stores unless explicitly required;
   - separate generated output from files that build or deploy code.
9. Add safe regression checks:
   - dependency resolution rejects `mcp-server-git <2025.12.18`;
   - wrapper unit tests mock Git execution and prove rejected refs never reach
     the subprocess layer;
   - temporary-repo tests cover normal branch/ref use without overwriting
     arbitrary files;
   - MCP tool-list/config tests confirm only approved Git tools are exposed;
   - logs omit credentials, tokens, and sensitive local paths.
10. Add a PR body section named `CVE-2025-68144 operator actions` that states:
    - observed `mcp-server-git` versions before and after;
    - whether `git_diff` and `git_checkout` were exposed to LLM or remote
      callers;
    - which writable paths were reachable;
    - whether credentials, hooks, CI files, or generated artifacts require
      review or rotation;
    - which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
    MCP config tests, container build, SBOM refresh, dependency scans, and
    non-secret local smoke tests against temporary repositories.
12. Use PR title:
    `fix(sec): remediate mcp-server-git argument injection`.

## Stop conditions

- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
  or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document owner,
  observed version, writable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot safely carry a
  reviewed ref-validation patch or disable affected tools.
- Verification would require overwriting files, changing real branches, reading
  secrets, or mutating production/developer repositories.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades or patches vulnerable Git argument handling, separates options from user-controlled values, constrains repository roots, adds regression tests, and documents cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, enabled tools, filesystem boundary, required fix, and residual risk.
  • The output must include exact validation commands and must avoid writing to real user directories, secrets, or production repositories.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or MCP config resolves mcp-server-git <2025.12.18.
  • git_diff and git_checkout validate refs before Git CLI execution.
  • Tests prove dash-prefixed option-like values and non-ref paths are rejected before the subprocess boundary.
  • Git MCP runs with constrained writable access and approved repository scope.
  • Operator notes cover review of hooks, CI files, generated artifacts, and credentials if exposed.

Watch for

  • Upgrading dependencies while a Docker image, global uvx launcher, or hosted MCP registry still pulls an older package.
  • Validating only git_diff while custom checkout or branch helpers keep the same argument-injection pattern.
  • Adding tests that invoke real file-overwrite behavior instead of mocking or using temporary repositories.
  • Ignoring the adjacent --repository path validation fix, also included in 2025.12.18+.

References