CVE-2025-68145 is a path traversal vulnerability classified under CWE-22 affecting modelcontextprotocol (mcp) servers before version 2025.12.17. The mcp server can be started with the --repository flag to restrict git operations to a specific repository path, intended to prevent unauthorized access to other repositories on the server. However, the server did not validate that repo_path arguments provided in subsequent tool calls were actually within the configured repository path. This lack of validation allows an attacker to craft tool calls with repo_path parameters that traverse directories outside the restricted repository, potentially accessing or modifying other repositories accessible to the server process. The vulnerability arises because the server failed to resolve and verify the requested paths, including following symbolic links, against the configured repository path before executing git operations. The fix implemented in version 2025.12.17 adds robust path validation that resolves both the configured repository path and the requested repo_path, ensuring the requested path is strictly within the allowed repository boundary. The CVSS 4.0 score is 6.4 (medium severity), reflecting that the vulnerability can be exploited remotely without authentication or privileges but requires user interaction to trigger the vulnerable tool calls. No known exploits are currently reported in the wild. This vulnerability could lead to unauthorized access or modification of git repositories beyond the intended scope, potentially exposing sensitive source code or disrupting development workflows.

For European organizations, this vulnerability poses a risk of unauthorized access and manipulation of source code repositories managed by mcp servers. Organizations relying on mcp servers to enforce repository access restrictions could have these controls bypassed, leading to potential intellectual property theft, code tampering, or supply chain risks if malicious code is injected. The impact is particularly significant for software development companies, technology firms, and any enterprise using mcp servers to manage critical codebases. Unauthorized repository access could also lead to exposure of sensitive information contained in code or configuration files. Additionally, disruption of repository integrity could affect development pipelines and product releases. Given the medium severity and the lack of authentication requirements, attackers with network access to the mcp server could exploit this vulnerability, increasing the risk profile for organizations with exposed or poorly segmented internal networks.

European organizations should immediately plan and execute an upgrade to modelcontextprotocol server version 2025.12.17 or later, which includes the patch that enforces strict path validation and symlink resolution. Until the upgrade is applied, organizations should restrict network access to mcp servers to trusted users and networks only, using firewalls and network segmentation to limit exposure. Monitoring and logging of git operations on mcp servers should be enhanced to detect unusual repository access patterns that may indicate exploitation attempts. Implementing strict access controls and auditing on the underlying filesystem and repositories can reduce the impact of unauthorized access. Additionally, organizations should review and harden the configuration of mcp servers, avoiding unnecessary use of the --repository flag if not required, and validating all inputs in custom tooling that interacts with mcp servers. Regular vulnerability scanning and penetration testing focusing on repository access controls can help identify residual risks.