The vulnerability identified as CVE-2025-68143 affects the modelcontextprotocol (MCP) servers, specifically versions prior to 2025.9.25. The MCP servers include a tool called git_init, which is designed to initialize Git repositories. Unlike other tools that require an existing repository, git_init accepted arbitrary filesystem paths without validating whether the target directory was appropriate or restricted. This improper limitation of pathname (CWE-22) allowed attackers to specify any directory accessible by the server process for repository creation. Consequently, an attacker could create or manipulate Git repositories in unintended locations, potentially overwriting or injecting malicious content into critical directories. The vulnerability is remotely exploitable over the network without authentication and requires user interaction, such as triggering the git_init operation. The CVSS 4.0 score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction. The flaw was addressed by removing the git_init tool entirely in version 2025.9.25, aligning the server’s operation strictly to existing repositories and eliminating the unsafe path acceptance. No known exploits are currently reported in the wild, but the vulnerability poses a risk of unauthorized filesystem manipulation and potential supply chain or code integrity attacks if exploited.

For European organizations, this vulnerability could lead to unauthorized creation or modification of Git repositories on MCP servers, potentially compromising code integrity and supply chain security. Organizations relying on MCP servers for software development or deployment could face risks of malicious code injection or disruption of development workflows. The ability to write to arbitrary directories accessible by the server process could also be leveraged to overwrite critical files or plant backdoors, impacting confidentiality, integrity, and availability of systems. Given the network-exploitable nature and lack of authentication, attackers could remotely target vulnerable servers, increasing the risk to organizations with exposed MCP services. The impact is particularly significant for organizations in sectors with stringent software integrity requirements, such as finance, telecommunications, and critical infrastructure within Europe.

European organizations should immediately upgrade all MCP server deployments to version 2025.9.25 or later, where the vulnerable git_init tool has been removed. Until upgrades are applied, restrict network access to MCP servers to trusted internal networks and implement strict firewall rules to limit exposure. Conduct audits of existing repositories and filesystem permissions to detect unauthorized repository creation or suspicious directory modifications. Employ application-level monitoring and logging to detect anomalous git_init usage or unexpected filesystem changes. Additionally, enforce the principle of least privilege on the server process to minimize accessible directories and reduce potential attack surface. Integrate secure software development lifecycle (SSDLC) practices to monitor and validate repository integrity continuously. Finally, educate developers and administrators about the risks associated with arbitrary path acceptance and ensure that any custom tools or scripts validate input paths rigorously.