CVE-2025-68145 is a path traversal vulnerability classified under CWE-22 affecting modelcontextprotocol (mcp) servers before version 2025.12.17. The mcp server can be started with a --repository flag intended to restrict git operations to a specified repository path. However, the server did not properly validate that subsequent repo_path arguments in tool calls remained within this restricted directory. This lack of validation allowed attackers to specify paths outside the intended repository, potentially accessing or modifying other repositories accessible by the server process. The vulnerability arises because the server failed to resolve and verify the canonical paths, including following symbolic links, before executing git operations. Exploitation requires no authentication or privileges and can be performed remotely without user interaction, increasing the attack surface. The CVSS 4.0 score of 6.4 reflects a medium severity, considering the network attack vector, low attack complexity, and no required privileges or user interaction. The patch released in version 2025.12.17 addresses the issue by implementing strict path resolution and validation to ensure all requested paths are confined within the configured repository directory before any git commands are executed. No known exploits are reported in the wild yet, but the vulnerability could lead to unauthorized access or modification of repositories, potentially exposing sensitive source code or disrupting development workflows.

For European organizations, this vulnerability poses a risk of unauthorized access and modification of source code repositories managed by mcp servers. Exploitation could lead to exposure of intellectual property, insertion of malicious code, or disruption of software development processes. Organizations relying on mcp servers for internal or external git repository management may face confidentiality breaches and integrity violations. The medium severity indicates a moderate risk, but the absence of required authentication and the ability to exploit remotely increase the likelihood of attacks, especially in environments with exposed or poorly segmented mcp server instances. This could impact software vendors, technology companies, and any enterprises using mcp servers for version control. Additionally, compromised repositories could serve as a vector for supply chain attacks affecting downstream consumers of the code. The impact on availability is limited but possible if malicious operations disrupt repository integrity or server stability.

European organizations should immediately plan to upgrade all mcp-server instances to version 2025.12.17 or later once available. Until the patch is applied, organizations should restrict network access to mcp servers, limiting exposure to trusted internal networks only. Implement strict firewall rules and network segmentation to prevent unauthorized external access. Conduct audits of repository configurations to ensure no unintended repositories are accessible by the server process. Monitor logs for unusual git operations or access patterns that could indicate exploitation attempts. Employ host-based intrusion detection systems to detect anomalous file system or git command activities. Additionally, consider deploying application-layer proxies or web application firewalls capable of inspecting and filtering malicious path traversal attempts. Educate development and operations teams about the vulnerability and the importance of timely patching. Finally, review and tighten permissions on repository directories to minimize the impact of any potential traversal.