CVE-2025-68144 affects modelcontextprotocol servers, specifically the mcp-server-git component versions prior to 2025.12.17. The vulnerability arises from improper neutralization of argument delimiters (CWE-88) in the git_diff and git_checkout functions. These functions accept user-controlled input that is passed directly to underlying git CLI commands without proper sanitization or validation. Attackers can exploit this by injecting flag-like arguments (e.g., --output=/path/to/file) that git interprets as command-line options rather than git references. This leads to unintended command behavior, such as overwriting arbitrary files on the filesystem. The root cause is the failure to reject arguments starting with '-' and the lack of verification that the argument corresponds to a valid git reference. The patch introduced in version 2025.12.17 adds validation to reject such arguments and uses git rev_parse to confirm the argument is a valid git ref before execution. The vulnerability is exploitable remotely over the network without authentication but requires user interaction, such as submitting crafted input to the affected functions. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:L) indicates a medium severity with high scope impact due to potential file overwrites. No known public exploits exist yet, but the vulnerability poses a risk to environments where mcp-server-git is used in automated workflows or exposed services.

For European organizations, this vulnerability could lead to unauthorized overwriting of files on systems running vulnerable versions of mcp-server-git, potentially disrupting development workflows, corrupting source code repositories, or overwriting critical configuration files. This could impact the integrity and availability of software development environments and continuous integration/continuous deployment (CI/CD) pipelines. Since the vulnerability does not require authentication but does require user interaction, attackers could exploit it via phishing or malicious input submissions in environments where mcp-server-git is exposed to untrusted users or automated inputs. The impact is particularly significant for organizations relying heavily on git-based workflows and automated DevOps tools integrating modelcontextprotocol servers. Although no confidentiality impact is indicated, the integrity and availability risks could lead to operational disruptions and increased remediation costs. European organizations with stringent compliance requirements around software integrity and supply chain security may face regulatory and reputational risks if exploited.

European organizations should immediately plan to update all instances of mcp-server-git to version 2025.12.17 or later once released. Until the patch is applied, restrict access to mcp-server-git services to trusted users only and implement input validation controls at the application or network level to block arguments starting with '-'. Employ strict monitoring and logging of git command invocations to detect anomalous or unexpected flag usage. Integrate security scanning into CI/CD pipelines to detect vulnerable versions of mcp-server-git and prevent deployment of unpatched software. Educate users and developers about the risks of submitting untrusted input to git-related functions. Consider isolating or sandboxing git operations to limit the impact of potential file overwrites. Finally, conduct regular audits of file integrity in repositories and related configuration files to quickly identify unauthorized changes.