CVE-2025-68143
MEDIUM EPSS 93.9%
Published Dec 17, 20256mo ago · Modified Jun 17, 20262w ago
6.5 CVSS 4.0
Published Dec 17, 2025 6mo ago
Last Modified Jun 17, 2026 2w ago
Description
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction P
Scope X
Threat Intelligence
EPSS Exploit Probability
93.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| lfprojects | model_context_protocol_servers | * | <2025.9.25 |
References 2
- github.com https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
- github.com https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v
Remediation
- github.com https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6