CVE-2025-68145 - mcp-server-git repository path validation bypass

mcp-server-git before 2025.12.18 did not fully enforce the repository boundary implied by the --repository flag. A server launched for one approved repository could accept later repo_path arguments that resolved to other repositories visible to the MCP process. The upstream fix resolves both the configured repository and requested path, follows symlinks, and verifies the requested path remains inside the allowed repository before running Git operations.

This is a trust-boundary bug for coding agents. A single Git MCP server often runs near multiple checkouts, private forks, generated code, home directories, SSH config, package caches, and CI metadata. --repository should mean the agent cannot cross into those neighboring paths.

When to use it

Use this recipe when a repository, desktop MCP profile, coding-agent runtime, or CI workbench uses mcp-server-git with a configured repository boundary. It is meant for source-code remediation, repository path containment, symlink resolution review, and audit evidence that user-supplied repo_path values cannot escape the allowed repository.

Inputs

  • mcp-server-git version, launch command, --repository value, MCP config, allowed repository list, and enabled Git tools.
  • Source or wrapper paths that resolve repo_path, follow symlinks, compare repository roots, or dispatch Git operations.
  • Regression fixtures for symlinks, sibling repositories, nested repos, relative traversal, Windows path shapes, and valid in-repository paths.
  • Runtime boundary evidence: filesystem reach, credentials, parent checkout layout, generated files, and any adjacent tools that consume Git output.

Affected versions

Package Vulnerable versions Fixed versions
mcp-server-git <2025.12.18 2025.12.18+

Indicator-of-exposure

  • The repository installs, vendors, builds, mirrors, or documents mcp-server-git or modelcontextprotocol/servers Git server images.
  • MCP config launches Git server with --repository and assumes it restricts all later tool calls.
  • Tool calls, wrappers, or generated MCP schemas accept a caller-supplied repo_path.
  • The MCP process can access multiple repositories, mounted workspaces, symlinks, home directories, package caches, or credential-bearing paths.
  • The Git MCP server is reachable from an LLM, issue/PR content, chat user, browser agent, CI workflow, remote MCP gateway, or shared dev workspace.

Quick checks:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|--repository|repo_path|realpath|resolve|symlink|git_status|git_log|git_diff|git_checkout|git_commit|git_show" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Windows:

rg -n "mcp-server-git|modelcontextprotocol/servers|server-git|--repository|repo_path|realpath|resolve|symlink|git_status|git_log|git_diff|git_checkout|git_commit|git_show" .
python -m pip show mcp-server-git
python -m pip freeze | rg '^mcp-server-git=='

Do not validate exposure by reading neighboring private repositories, home directories, credential stores, or customer workspaces.

Remediation strategy

  • Upgrade every controlled dependency, lockfile, image, devcontainer, and MCP registration to mcp-server-git 2025.12.18+.
  • Treat --repository as a security boundary. In owned wrappers or forks, resolve the configured repository and requested repo_path with symlink resolution before every Git operation, then verify the requested path is inside the allow-list.
  • Remove broad workspace/home-directory mounts or make them read-only. Mount only the repository the Git MCP server should operate on.
  • Run the MCP process with a dedicated low-privilege user and separate credential storage so crossing a path boundary does not expose SSH keys, GitHub tokens, package credentials, or private sibling repos.
  • Add tests that use temporary repositories and symlinks to prove path boundary enforcement without touching real workspaces or secrets.
  • Check the adjacent git_diff/git_checkout argument-injection issue fixed in the same 2025.12.18+ release train.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2025-68145 / GHSA-j22h-9j4x-23w5, where
`mcp-server-git` before 2025.12.18 failed to keep caller-supplied `repo_path`
inside the repository selected by `--repository`. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or patches the affected Git
  MCP server, enforces resolved repository allow-lists, constrains mounts and
  credentials, adds safe regression checks, refreshes generated artifacts, and
  documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected `mcp-server-git`
  package, fork, wrapper, config, deployment, or safe containment path.

## Rules

- Scope only CVE-2025-68145 / GHSA-j22h-9j4x-23w5 and directly related Git MCP
  `--repository`, `repo_path`, symlink, mount, credential, and workspace-boundary
  controls.
- Treat source code, sibling repositories, SSH keys, Git credentials, package
  tokens, CI secrets, home directories, MCP transcripts, generated artifacts,
  and local paths as sensitive.
- Do not read neighboring repositories, home directories, credential stores, or
  customer workspaces to prove exposure.
- Do not rely on prompt instructions or UI labels to enforce repository
  boundaries.
- Do not auto-merge.

## Steps

1. Inventory every controlled reference to `mcp-server-git`,
   `modelcontextprotocol/servers`, `server-git`, `uvx mcp-server-git`,
   `--repository`, `repo_path`, symlink handling, and Git tool wrappers in
   source, package manifests, lockfiles, Dockerfiles, Compose files,
   devcontainers, CI, MCP client configs, server registries, runbooks, SBOMs,
   and generated docs.
2. Resolve every package, image, tag, digest, and vendored commit version. A
   target is vulnerable if it resolves to `mcp-server-git <2025.12.18` or a
   fork/wrapper that accepts caller-supplied repository paths without resolved
   allow-list validation.
3. Determine every configured repository boundary and every path reachable by
   the MCP process: sibling repos, home directories, SSH config, Git credential
   stores, package caches, mounted workspaces, CI checkouts, generated output,
   and symlinks.
4. Determine who can influence `repo_path`: LLM output, issue/PR text, chat
   users, browser agents, CI workflows, hosted MCP gateways, shared workspaces,
   or local-only trusted users.
5. If this repository does not control an affected runtime, stop with
   `TRIAGE.md` listing checked files, observed version if known, runtime owner,
   reachable paths, and required fixed version `2025.12.18+`.
6. Upgrade all controlled deployments to `mcp-server-git 2025.12.18+`.
   Regenerate lockfiles, SBOMs, dependency reports, image digests,
   devcontainers, MCP registry snapshots, and generated docs.
7. For owned forks or wrappers, implement the fixed code shape:
   - resolve the configured repository path and requested `repo_path`;
   - follow symlinks before comparison;
   - reject paths outside the approved repository allow-list;
   - apply the check before every Git operation, not just server startup;
   - centralize the check in one helper used by all Git tools;
   - redact sensitive paths from errors and logs.
8. Harden runtime containment:
   - mount only approved repositories into the MCP container/process;
   - make unrelated mounts read-only or remove them;
   - run with a dedicated low-privilege OS identity;
   - keep SSH keys, GitHub tokens, package tokens, and cloud credentials outside
     the Git server's readable tree unless required;
   - avoid shared writable home directories for hosted or CI agents.
9. Add safe regression checks:
   - dependency resolution rejects `mcp-server-git <2025.12.18`;
   - temporary-repo tests prove symlink and sibling-path requests are rejected;
   - wrapper tests prove every Git tool calls the shared repository-boundary
     helper;
   - MCP config tests prove only approved repository paths are mounted or
     configured;
   - logs omit secrets and sensitive absolute paths.
10. Add a PR body section named `CVE-2025-68145 operator actions` that states:
    - observed `mcp-server-git` versions before and after;
    - which `--repository` boundaries existed;
    - which callers could influence `repo_path`;
    - which sibling repos, credentials, or generated artifacts may have been
      reachable;
    - whether Git credentials or repository secrets need rotation;
    - which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
    MCP config tests, container build, SBOM refresh, dependency scans, and
    non-secret local smoke tests using temporary repositories and symlinks.
12. Use PR title:
    `fix(sec): enforce mcp-server-git repository boundaries`.

## Stop conditions

- No affected `mcp-server-git` package, fork, wrapper, MCP registration, image,
  or deployment is controlled by this repository.
- The only affected runtime is owned by another team or vendor; document owner,
  observed version, reachable paths, and required fixed version.
- A fixed package cannot be consumed and the repository cannot safely carry a
  reviewed repository-boundary patch or disable affected tools.
- Verification would require reading neighboring private repositories,
  credential stores, customer workspaces, or real developer home directories.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades or patches mcp-server-git, resolves and enforces repository roots, adds escape tests, and documents workspace cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, configured repository boundary, enabled tools, required fix, and residual risk.
  • The output must include exact validation commands and must not read, modify, or run Git operations against real out-of-scope repositories.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or MCP config resolves mcp-server-git <2025.12.18.
  • Every Git tool resolves and validates repo_path inside the configured repository before execution.
  • Temporary-repo tests cover symlinks and sibling paths without touching real workspaces.
  • Runtime config mounts only approved repositories and keeps credentials outside the readable/writable Git MCP tree where practical.
  • Operator notes cover sibling repository and credential exposure.

Watch for

  • Updating a package while global uvx, desktop MCP config, or hosted gateway still launches an older Git server.
  • Checking the path only at startup while later tool calls accept a new repo_path.
  • Comparing strings instead of resolved paths, which can miss symlinks and path normalization.
  • Fixing repository boundaries while leaving the adjacent git_diff/git_checkout argument-injection issue unpatched.

References