CVE-2025-68144 - mcp-server-git diff and checkout argument injection
mcp-server-git before 2025.12.18 passed user-controlled git_diff and
git_checkout arguments directly to Git CLI commands. Values that looked like
Git options could be interpreted by the CLI instead of being treated as refs,
allowing local file overwrites or unintended checkout behavior in the MCP
server’s process context.
In agent environments, a “local file overwrite” can still be a serious control failure. The MCP server often runs next to repository credentials, generated code, CI files, prompt/tool manifests, package caches, and other tools that may consume files after Git writes them.
When to use it
Use this recipe when a repository, desktop MCP profile, agent runtime, or
developer workbench uses mcp-server-git and exposes git_diff or
git_checkout to model-driven or lower-trust callers. It focuses on argument
injection remediation, Git CLI hardening, repository containment, and audit
evidence for safe agent file operations.
Inputs
mcp-server-gitversion, package source, MCP config, enabled Git tools, and allowed repository roots.- Source or wrapper code that passes refs, paths, branches, or checkout/diff arguments to Git CLI commands.
- Regression fixtures for option-looking refs, pathspec separators, branch names, and repository-root escapes using only temporary repositories.
- Evidence of process reach: repository contents, generated files, CI config, credentials, package caches, and downstream tools that consume Git output.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
mcp-server-git |
<2025.12.18 |
2025.12.18+ |
Indicator-of-exposure
- The repository installs, vendors, builds, mirrors, or documents
mcp-server-gitormodelcontextprotocol/serversGit server images. - MCP client config, hosted gateways, CI jobs, devcontainers, or desktop agent configs expose Git tools to LLM-directed or remote callers.
- Tool calls can provide refs, branch names, revisions, or paths to
git_diff,git_checkout, wrappers, or generated tool catalogs. - Source or vendored code constructs Git CLI calls from tool arguments without
validating that refs do not start with a dash and resolve through
rev-parse. - The MCP process can write to source files, hooks, package manager scripts, CI files, generated artifacts, or other files later executed by agents/builds.
Quick checks:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|git_diff|git_checkout|rev_parse|rev-parse|subprocess|create_subprocess|--repository|repo_path" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Windows:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|git_diff|git_checkout|rev_parse|rev-parse|subprocess|create_subprocess|--repository|repo_path" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Do not validate exposure by asking a live MCP server to overwrite files, change branches, edit hooks, or run Git commands against real repositories.
Remediation strategy
- Upgrade every controlled dependency, lockfile, image, devcontainer, and MCP
registration to
mcp-server-git 2025.12.18+. - If this repository owns a fork or wrapper, add a single ref-validation helper
used by
git_diff,git_checkout, and any custom Git command wrapper: reject dash-prefixed values, reject path traversal, resolve refs with Git, and pass explicit argv arrays with option terminators where appropriate. - Keep Git MCP operations inside approved repositories. Pair this remediation
with the
--repositorypath-validation fix in2025.12.18+. - Run MCP with least privilege and avoid writable access to credentials, hooks, CI config, package scripts, release metadata, and generated deployment files unless the tool’s job explicitly requires it.
- Add safe tests that mock Git execution or use temporary repositories. Assert accepted refs become argv elements, not shell strings, and rejected refs never reach Git execution.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-68144 / GHSA-9xwc-hfwc-8w59, an argument
injection issue in `mcp-server-git` before 2025.12.18 where `git_diff` and
`git_checkout` could treat user-controlled ref values as Git CLI options.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades or patches the affected Git
MCP server, validates refs before Git CLI execution, prevents arbitrary file
writes, adds safe regression checks, refreshes generated artifacts, and
documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
package, fork, wrapper, config, deployment, or safe containment path.
## Rules
- Scope only CVE-2025-68144 / GHSA-9xwc-hfwc-8w59 and directly related Git MCP
argument validation, arbitrary-write, workspace-boundary, and MCP tool
registration controls.
- Treat source code, Git hooks, uncommitted changes, credentials, package
tokens, CI config, MCP transcripts, generated artifacts, and local paths as
sensitive.
- Do not run file-overwrite probes, branch-changing commands, or destructive
Git commands against production, shared, or developer repositories.
- Do not replace Git argument validation with prompt instructions or UI-only
warnings.
- Do not auto-merge.
## Steps
1. Inventory every controlled reference to `mcp-server-git`,
`modelcontextprotocol/servers`, `server-git`, `git_diff`, `git_checkout`,
`rev_parse`, `rev-parse`, `--repository`, and `repo_path` in source, package
manifests, lockfiles, Dockerfiles, Compose files, devcontainers, CI, MCP
client configs, server registries, runbooks, SBOMs, and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
target is vulnerable if it resolves to `mcp-server-git <2025.12.18` or a
fork/wrapper that passes caller-controlled refs to Git without rejecting
dash-prefixed options and validating refs.
3. Determine which MCP clients can invoke Git tools and whether those callers
include LLM output, issue/PR text, chat users, browser agents, CI workflows,
shared workspaces, or network clients.
4. Determine what the Git MCP process can write: source files, Git hooks,
package scripts, config files, CI workflows, generated artifacts, caches, and
release metadata.
5. If this repository does not control an affected runtime, stop with
`TRIAGE.md` listing checked files, observed version if known, runtime owner,
writable paths, and required fixed version `2025.12.18+`.
6. Upgrade all controlled deployments to `mcp-server-git 2025.12.18+`.
Regenerate lockfiles, SBOMs, dependency reports, image digests,
devcontainers, MCP registry snapshots, and generated docs.
7. For owned forks or wrappers, implement the fixed code shape:
- use structured argv execution, not shell strings;
- reject ref arguments that start with `-`;
- resolve candidate refs with Git before passing them to `diff` or
`checkout`;
- reject path traversal and absolute paths where a ref is expected;
- use a shared validation helper for every Git tool that accepts refs;
- redact refs and paths in errors when they may contain secrets.
8. Harden workspace boundaries:
- constrain Git tools to approved repositories;
- run with a low-privilege OS identity;
- avoid writable access to hooks, CI config, package scripts, and secret
stores unless explicitly required;
- separate generated output from files that build or deploy code.
9. Add safe regression checks:
- dependency resolution rejects `mcp-server-git <2025.12.18`;
- wrapper unit tests mock Git execution and prove rejected refs never reach
the subprocess layer;
- temporary-repo tests cover normal branch/ref use without overwriting
arbitrary files;
- MCP tool-list/config tests confirm only approved Git tools are exposed;
- logs omit credentials, tokens, and sensitive local paths.
10. Add a PR body section named `CVE-2025-68144 operator actions` that states:
- observed `mcp-server-git` versions before and after;
- whether `git_diff` and `git_checkout` were exposed to LLM or remote
callers;
- which writable paths were reachable;
- whether credentials, hooks, CI files, or generated artifacts require
review or rotation;
- which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
MCP config tests, container build, SBOM refresh, dependency scans, and
non-secret local smoke tests against temporary repositories.
12. Use PR title:
`fix(sec): remediate mcp-server-git argument injection`.
## Stop conditions
- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document owner,
observed version, writable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot safely carry a
reviewed ref-validation patch or disable affected tools.
- Verification would require overwriting files, changing real branches, reading
secrets, or mutating production/developer repositories.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades or patches vulnerable Git argument handling, separates options from user-controlled values, constrains repository roots, adds regression tests, and documents cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, enabled tools, filesystem boundary, required fix, and residual risk. - The output must include exact validation commands and must avoid writing to real user directories, secrets, or production repositories.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or MCP config resolves
mcp-server-git <2025.12.18. git_diffandgit_checkoutvalidate refs before Git CLI execution.- Tests prove dash-prefixed option-like values and non-ref paths are rejected before the subprocess boundary.
- Git MCP runs with constrained writable access and approved repository scope.
- Operator notes cover review of hooks, CI files, generated artifacts, and credentials if exposed.
Watch for
- Upgrading dependencies while a Docker image, global
uvxlauncher, or hosted MCP registry still pulls an older package. - Validating only
git_diffwhile custom checkout or branch helpers keep the same argument-injection pattern. - Adding tests that invoke real file-overwrite behavior instead of mocking or using temporary repositories.
- Ignoring the adjacent
--repositorypath validation fix, also included in2025.12.18+.
Related recipes
- Source code injection sink audit
- Source code attack surface map
- Source code supply chain build integrity audit
- SAST finding triage and fix