CVE-2025-53107 is a command injection vulnerability identified in the cyanheads git-mcp-server, a server designed to interact with Git repositories. The vulnerability exists in versions prior to 2.1.5 due to improper neutralization of special elements used in command execution (CWE-77). Specifically, the server uses the Node.js child_process.exec function to execute shell commands constructed with unsanitized user input. This allows an attacker to inject arbitrary shell metacharacters (such as |, >, &&) into the command string, leading to arbitrary command execution on the underlying system with the privileges of the git-mcp-server process. The vulnerability can be triggered remotely by an MCP client that sends crafted input, for example via indirect prompt injection when reading git logs, causing the server to execute unintended commands. The flaw arises because the server does not validate or sanitize input parameters before embedding them into shell commands, making it vulnerable to shell injection attacks. This vulnerability has been addressed in version 2.1.5 of the git-mcp-server, where input sanitization or safer command execution methods have presumably been implemented to prevent injection. The CVSS v3.1 base score is 7.5, indicating a high severity level, with the vector reflecting network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability. No known exploits are reported in the wild yet, but the potential for remote code execution makes this a critical risk for affected deployments.

For European organizations using cyanheads git-mcp-server versions prior to 2.1.5, this vulnerability poses a significant risk. Successful exploitation could allow attackers to execute arbitrary commands remotely, potentially leading to full system compromise, data theft, service disruption, or lateral movement within internal networks. Given that git-mcp-server interacts with Git repositories, attackers could manipulate source code, inject malicious code, or disrupt development workflows, impacting software supply chain integrity. The high confidentiality, integrity, and availability impacts mean sensitive intellectual property and operational continuity could be severely affected. Organizations relying on this server for critical development or deployment pipelines may face operational downtime and reputational damage. The requirement for user interaction (e.g., an MCP client triggering the vulnerable code path) may limit automated exploitation but does not eliminate risk, especially in environments where multiple users interact with the server. The lack of known exploits in the wild suggests that proactive patching can effectively mitigate risk before widespread attacks occur.

European organizations should immediately upgrade cyanheads git-mcp-server to version 2.1.5 or later, where the vulnerability is patched. If upgrading is not immediately feasible, organizations should implement strict input validation and sanitization on all user-supplied parameters interacting with the server. Employing application-layer firewalls or intrusion detection systems to monitor and block suspicious command injection patterns can provide temporary protection. Restricting access to the git-mcp-server to trusted networks and authenticated users reduces exposure. Additionally, running the server with the least privileges necessary limits the impact of potential exploitation. Organizations should audit their MCP client interactions to identify and remediate any indirect prompt injection vectors. Regularly monitoring logs for unusual command execution or shell activity can help detect exploitation attempts early. Finally, integrating secure coding practices and avoiding the use of child_process.exec with unsanitized input in custom extensions or scripts is critical to prevent similar vulnerabilities.