CVE-2025-68143

MEDIUM EPSS 93.9%
Published Dec 17, 20256mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 4.0
Medium
Find Similar
Published Dec 17, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago

Description

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue.

CVSS Details

Base Score
6.5
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
93.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-22 Path Traversal Resource Mgmt

Affected Products 1

VendorProductVersionRange
lfprojectsmodel_context_protocol_servers* <2025.9.25

References 2

  • github.com https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
    Patch
  • github.com https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v
    Vendor Advisory

Remediation

  • github.com https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
    Patch