CVE-2025-68145 - mcp-server-git repository path validation bypass
mcp-server-git before 2025.12.18 did not fully enforce the repository
boundary implied by the --repository flag. A server launched for one approved
repository could accept later repo_path arguments that resolved to other
repositories visible to the MCP process. The upstream fix resolves both the
configured repository and requested path, follows symlinks, and verifies the
requested path remains inside the allowed repository before running Git
operations.
This is a trust-boundary bug for coding agents. A single Git MCP server often
runs near multiple checkouts, private forks, generated code, home directories,
SSH config, package caches, and CI metadata. --repository should mean the
agent cannot cross into those neighboring paths.
When to use it
Use this recipe when a repository, desktop MCP profile, coding-agent runtime,
or CI workbench uses mcp-server-git with a configured repository boundary.
It is meant for source-code remediation, repository path containment, symlink
resolution review, and audit evidence that user-supplied repo_path values
cannot escape the allowed repository.
Inputs
mcp-server-gitversion, launch command,--repositoryvalue, MCP config, allowed repository list, and enabled Git tools.- Source or wrapper paths that resolve
repo_path, follow symlinks, compare repository roots, or dispatch Git operations. - Regression fixtures for symlinks, sibling repositories, nested repos, relative traversal, Windows path shapes, and valid in-repository paths.
- Runtime boundary evidence: filesystem reach, credentials, parent checkout layout, generated files, and any adjacent tools that consume Git output.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
mcp-server-git |
<2025.12.18 |
2025.12.18+ |
Indicator-of-exposure
- The repository installs, vendors, builds, mirrors, or documents
mcp-server-gitormodelcontextprotocol/serversGit server images. - MCP config launches Git server with
--repositoryand assumes it restricts all later tool calls. - Tool calls, wrappers, or generated MCP schemas accept a caller-supplied
repo_path. - The MCP process can access multiple repositories, mounted workspaces, symlinks, home directories, package caches, or credential-bearing paths.
- The Git MCP server is reachable from an LLM, issue/PR content, chat user, browser agent, CI workflow, remote MCP gateway, or shared dev workspace.
Quick checks:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|--repository|repo_path|realpath|resolve|symlink|git_status|git_log|git_diff|git_checkout|git_commit|git_show" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Windows:
rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|--repository|repo_path|realpath|resolve|symlink|git_status|git_log|git_diff|git_checkout|git_commit|git_show" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='
Do not validate exposure by reading neighboring private repositories, home directories, credential stores, or customer workspaces.
Remediation strategy
- Upgrade every controlled dependency, lockfile, image, devcontainer, and MCP
registration to
mcp-server-git 2025.12.18+. - Treat
--repositoryas a security boundary. In owned wrappers or forks, resolve the configured repository and requestedrepo_pathwith symlink resolution before every Git operation, then verify the requested path is inside the allow-list. - Remove broad workspace/home-directory mounts or make them read-only. Mount only the repository the Git MCP server should operate on.
- Run the MCP process with a dedicated low-privilege user and separate credential storage so crossing a path boundary does not expose SSH keys, GitHub tokens, package credentials, or private sibling repos.
- Add tests that use temporary repositories and symlinks to prove path boundary enforcement without touching real workspaces or secrets.
- Check the adjacent
git_diff/git_checkoutargument-injection issue fixed in the same2025.12.18+release train.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2025-68145 / GHSA-j22h-9j4x-23w5, where
`mcp-server-git` before 2025.12.18 failed to keep caller-supplied `repo_path`
inside the repository selected by `--repository`. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades or patches the affected Git
MCP server, enforces resolved repository allow-lists, constrains mounts and
credentials, adds safe regression checks, refreshes generated artifacts, and
documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
package, fork, wrapper, config, deployment, or safe containment path.
## Rules
- Scope only CVE-2025-68145 / GHSA-j22h-9j4x-23w5 and directly related Git MCP
`--repository`, `repo_path`, symlink, mount, credential, and workspace-boundary
controls.
- Treat source code, sibling repositories, SSH keys, Git credentials, package
tokens, CI secrets, home directories, MCP transcripts, generated artifacts,
and local paths as sensitive.
- Do not read neighboring repositories, home directories, credential stores, or
customer workspaces to prove exposure.
- Do not rely on prompt instructions or UI labels to enforce repository
boundaries.
- Do not auto-merge.
## Steps
1. Inventory every controlled reference to `mcp-server-git`,
`modelcontextprotocol/servers`, `server-git`, `uvx mcp-server-git`,
`--repository`, `repo_path`, symlink handling, and Git tool wrappers in
source, package manifests, lockfiles, Dockerfiles, Compose files,
devcontainers, CI, MCP client configs, server registries, runbooks, SBOMs,
and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
target is vulnerable if it resolves to `mcp-server-git <2025.12.18` or a
fork/wrapper that accepts caller-supplied repository paths without resolved
allow-list validation.
3. Determine every configured repository boundary and every path reachable by
the MCP process: sibling repos, home directories, SSH config, Git credential
stores, package caches, mounted workspaces, CI checkouts, generated output,
and symlinks.
4. Determine who can influence `repo_path`: LLM output, issue/PR text, chat
users, browser agents, CI workflows, hosted MCP gateways, shared workspaces,
or local-only trusted users.
5. If this repository does not control an affected runtime, stop with
`TRIAGE.md` listing checked files, observed version if known, runtime owner,
reachable paths, and required fixed version `2025.12.18+`.
6. Upgrade all controlled deployments to `mcp-server-git 2025.12.18+`.
Regenerate lockfiles, SBOMs, dependency reports, image digests,
devcontainers, MCP registry snapshots, and generated docs.
7. For owned forks or wrappers, implement the fixed code shape:
- resolve the configured repository path and requested `repo_path`;
- follow symlinks before comparison;
- reject paths outside the approved repository allow-list;
- apply the check before every Git operation, not just server startup;
- centralize the check in one helper used by all Git tools;
- redact sensitive paths from errors and logs.
8. Harden runtime containment:
- mount only approved repositories into the MCP container/process;
- make unrelated mounts read-only or remove them;
- run with a dedicated low-privilege OS identity;
- keep SSH keys, GitHub tokens, package tokens, and cloud credentials outside
the Git server's readable tree unless required;
- avoid shared writable home directories for hosted or CI agents.
9. Add safe regression checks:
- dependency resolution rejects `mcp-server-git <2025.12.18`;
- temporary-repo tests prove symlink and sibling-path requests are rejected;
- wrapper tests prove every Git tool calls the shared repository-boundary
helper;
- MCP config tests prove only approved repository paths are mounted or
configured;
- logs omit secrets and sensitive absolute paths.
10. Add a PR body section named `CVE-2025-68145 operator actions` that states:
- observed `mcp-server-git` versions before and after;
- which `--repository` boundaries existed;
- which callers could influence `repo_path`;
- which sibling repos, credentials, or generated artifacts may have been
reachable;
- whether Git credentials or repository secrets need rotation;
- which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
MCP config tests, container build, SBOM refresh, dependency scans, and
non-secret local smoke tests using temporary repositories and symlinks.
12. Use PR title:
`fix(sec): enforce mcp-server-git repository boundaries`.
## Stop conditions
- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document owner,
observed version, reachable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot safely carry a
reviewed repository-boundary patch or disable affected tools.
- Verification would require reading neighboring private repositories,
credential stores, customer workspaces, or real developer home directories.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades or patches
mcp-server-git, resolves and enforces repository roots, adds escape tests, and documents workspace cleanup. - Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, configured repository boundary, enabled tools, required fix, and residual risk. - The output must include exact validation commands and must not read, modify, or run Git operations against real out-of-scope repositories.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or MCP config resolves
mcp-server-git <2025.12.18. - Every Git tool resolves and validates
repo_pathinside the configured repository before execution. - Temporary-repo tests cover symlinks and sibling paths without touching real workspaces.
- Runtime config mounts only approved repositories and keeps credentials outside the readable/writable Git MCP tree where practical.
- Operator notes cover sibling repository and credential exposure.
Watch for
- Updating a package while global
uvx, desktop MCP config, or hosted gateway still launches an older Git server. - Checking the path only at startup while later tool calls accept a new
repo_path. - Comparing strings instead of resolved paths, which can miss symlinks and path normalization.
- Fixing repository boundaries while leaving the adjacent
git_diff/git_checkoutargument-injection issue unpatched.
Related recipes
- Source code attack surface map
- Source code supply chain build integrity audit
- Source code authz tenant boundary audit
- SAST finding triage and fix