# REPRO-2026-00076: MCP Server Git: Path Traversal via Missing Repository Path Validation

## Summary
Status: published
Severity: medium
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00076
GHSA: GHSA-j22h-9j4x-23w5
CVE: CVE-2025-68145

## Package
Name: mcp-server-git
Ecosystem: pip
Affected: < 2025.12.18
Fixed: 2025.12.18

## Root Cause
# Root Cause Analysis Report

## Summary
mcp-server-git versions prior to 2025.12.18 do not validate that the `repo_path` argument supplied to tool calls remains within the repository configured by the `--repository` flag. As a result, a client can call tools (e.g., `git_status`) against any other Git repository accessible to the server process, defeating the intended restriction.

## Impact
- **Affected component:** mcp-server-git Python package (stdio MCP server)
- **Affected versions:** < 2025.12.18 (reproduced with 2025.11.25)
- **Risk level:** Medium
- **Consequence:** Clients can read or manipulate repositories outside the configured allowed repository, including via path traversal or symlink escapes.

## Root Cause
The vulnerable server implementation directly converts `repo_path` from tool call arguments into a `Path` and opens it with `git.Repo(...)` without checking whether it is inside the configured `--repository` path. The fix (2025.12.18) introduces `validate_repo_path`, which resolves both the allowed repository and requested path (following symlinks) and rejects paths outside the allowed root before executing Git operations.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh`.
2. The script creates two Git repositories, starts the vulnerable server (2025.11.25) with `--repository` set to the allowed repo, and calls `git_status` against outside paths (direct, traversal, and symlink).
3. The script repeats the call against the fixed server (2025.12.18) and confirms rejection.

## Evidence
- Vulnerable behavior (access outside repo succeeds):
  - `logs/vuln_outside_repo.log` (shows `isError False` with status output for the outside repo)
  - `logs/vuln_traversal_repo.log`
  - `logs/vuln_symlink_repo.log`
- Fixed behavior (access outside repo blocked):
  - `logs/fixed_outside_repo.log`
  - `logs/fixed_symlink_repo.log`
- Environment: Python 3.11 with venvs created by the script, Git CLI used to initialize test repos.

## Recommendations / Next Steps
- Upgrade mcp-server-git to 2025.12.18 or later.
- Ensure all tool entry points validate repository paths using resolved paths (including symlinks) before performing Git operations.
- Add regression tests covering path traversal and symlink escape cases.

## Additional Notes
- `repro/reproduction_steps.sh` was executed twice successfully to verify idempotence.
- The test covers direct path usage, relative traversal, and symlink escapes to match the fixed validation logic.


## Reproduction Details
Reproduced: 2026-01-21T07:51:32.909Z
Duration: 690 seconds
Tool calls: 155
Turns: Unknown
Handoffs: Unknown

## Timeline (Key Moments)
1. [env_setup] Installing vulnerable mcp-server-git (repro)
   Agent installs mcp-server-git 2025.11.25 (vulnerable) and 2025.12.18 (fixed) in separate virtual environments for comparative testing.
2. [poc_created] Creating test repositories (repro)
   Agent creates two Git repositories - allowed_repo (configured path) and other_repo (outside path) to test path traversal scenarios.
3. [vuln_triggered] Path traversal vulnerability confirmed (repro)
   Agent confirms vulnerable version allows git_status calls on repositories outside the configured --repository path via direct path, ../traversal, and symlinks - all return isError: False.
4. [confirmation] Fix verified (repro)
   Agent confirms fixed version (2025.12.18) properly rejects all path traversal attempts with isError: True and message indicating path is outside allowed repository.

## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00076
    pruva-verify GHSA-j22h-9j4x-23w5
    pruva-verify CVE-2025-68145

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00076&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00076/artifacts/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-j22h-9j4x-23w5
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-68145
- Source: https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5

## Artifacts
- reproduction_steps.sh (reproduction_script, 3751 bytes)
- rca_report.md (analysis, 2481 bytes)
- path (other, 27 bytes)
- ticket.md (ticket, 1240 bytes)
- vuln_outside_repo.log (log, 96 bytes)
- vuln_traversal_repo.log (log, 96 bytes)
- vuln_symlink_repo.log (log, 96 bytes)
- fixed_outside_repo.log (log, 297 bytes)
- fixed_symlink_repo.log (log, 311 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00076
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00076/artifacts/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00076

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev