CVE-2025-68144 is a vulnerability classified under CWE-88 (Improper Neutralization of Argument Delimiters in a Command, or Argument Injection) affecting modelcontextprotocol (mcp) servers, specifically versions prior to 2025.12.17. The issue resides in the git_diff and git_checkout functions, which accept user-controlled input that is passed directly to underlying git CLI commands without proper sanitization or validation. This allows an attacker to inject command-line options (flags) such as --output=/path/to/file, which git interprets as legitimate command-line options rather than git references. Consequently, this can lead to arbitrary file overwrites on the server’s filesystem, potentially overwriting critical files or injecting malicious content. The vulnerability does not require authentication and can be triggered with user interaction, increasing its risk profile. The patch introduced in version 2025.12.17 mitigates the issue by rejecting any argument starting with a dash ('-') and verifying that the argument resolves to a valid git reference via git rev_parse before executing the command. The CVSS 4.0 score is 6.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction and affecting system integrity with high scope. No known exploits have been reported in the wild as of publication. This vulnerability highlights the risks of improper input validation in command execution contexts, especially when interfacing with powerful CLI tools like git.

For European organizations, this vulnerability poses a risk primarily to the integrity and availability of systems running vulnerable versions of the modelcontextprotocol servers. Arbitrary file overwrite can lead to corruption or replacement of critical files, potentially causing service disruption or enabling further compromise if attackers overwrite configuration files or inject malicious code. Organizations relying on mcp servers for development workflows, continuous integration, or deployment pipelines could face operational interruptions or data integrity issues. Since exploitation requires user interaction, phishing or social engineering could be vectors to trigger the vulnerability. The lack of authentication requirement increases the attack surface, especially for publicly accessible services. While no exploits are currently known, the potential for damage warrants proactive patching. The impact on confidentiality is minimal as the vulnerability does not directly expose data but could be leveraged in chained attacks. Overall, European entities with software development or DevOps infrastructure using mcp servers must consider this a moderate risk to operational stability and integrity.

European organizations should immediately plan to upgrade all affected modelcontextprotocol server instances to version 2025.12.17 or later once available. Until patching is complete, implement strict input validation and sanitization on any user inputs that interact with git commands, ensuring no arguments starting with '-' are accepted. Employ application-layer firewalls or intrusion prevention systems to detect and block suspicious command injection patterns targeting git CLI usage. Limit user permissions and isolate mcp server environments to minimize impact of potential file overwrites. Conduct security awareness training to reduce the risk of social engineering attacks that could trigger user interaction exploitation. Regularly audit git repository and server file integrity to detect unauthorized changes. Finally, monitor logs for anomalous git command executions that include unexpected flags or parameters. These targeted mitigations go beyond generic advice by focusing on the specific injection vector and operational context of the vulnerability.