CVE-2025-68145: MCP Server Git: Path Traversal via Missing Repository Path Validation
CVE-2025-68145 is verified against mcp-server-git · pip affected versions: < 2025.12.18 fixed version: 2025.12.18 vulnerability class: Path Traversal This medium reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00076.
pruva-verify REPRO-2026-00076 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00076/artifacts/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh In mcp-server-git versions prior to 2025.12.18, when started with --repository flag, it did not validate that repo_path arguments were within the configured path. This allows tool calls to operate on other repositories via direct paths, path traversal, or symlinks.
# Root Cause Analysis Report ## Summary mcp-server-git versions prior to 2025.12.18 do not validate that the `repo_path` argument supplied to tool calls remains within the repository configured by the `--repository` flag. As a result, a client can call tools (e.g., `git_status`) against any other Git repository accessible to the server process, defeating the intended restriction. ## Impact - **Affected component:** mcp-server-git Python package (stdio MCP server) - **Affected versions:** < 2025.12.18 (reproduced with 2025.11.25) - **Risk level:** Medium - **Consequence:** Clients can read or manipulate repositories outside the configured allowed repository, including via path traversal or symlink escapes. ## Root Cause The vulnerable server implementation directly converts `repo_path` from tool call arguments into a `Path` and opens it with `git.Repo(...)` without checking whether it is inside the configured `--repository` path. The fix (2025.12.18) introduces `validate_repo_path`, which resolves both the allowed repository and requested path (following symlinks) and rejects paths outside the allowed root before executing Git operations. ## Reproduction Steps 1. Run `repro/reproduction_steps.sh`. 2. The script creates two Git repositories, starts the vulnerable server (2025.11.25) with `--repository` set to the allowed repo, and calls `git_status` against outside paths (direct, traversal, and symlink). 3. The script repeats the call against the fixed server (2025.12.18) and confirms rejection. ## Evidence - Vulnerable behavior (access outside repo succeeds): - `logs/vuln_outside_repo.log` (shows `isError False` with status output for the outside repo) - `logs/vuln_traversal_repo.log` - `logs/vuln_symlink_repo.log` - Fixed behavior (access outside repo blocked): - `logs/fixed_outside_repo.log` - `logs/fixed_symlink_repo.log` - Environment: Python 3.11 with venvs created by the script, Git CLI used to initialize test repos. ## Recommendations / Next Steps - Upgrade mcp-server-git to 2025.12.18 or later. - Ensure all tool entry points validate repository paths using resolved paths (including symlinks) before performing Git operations. - Add regression tests covering path traversal and symlink escape cases. ## Additional Notes - `repro/reproduction_steps.sh` was executed twice successfully to verify idempotence. - The test covers direct path usage, relative traversal, and symlink escapes to match the fixed validation logic.
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.
No artifacts available