RAXE-2026-021 MEDIUM CVSS 6.5 v4.0 S2

MCP Server git_init Path Traversal via Unrestricted Repository Initialisation (CVE-2025-68143)

Agent Security 2026-03-09 M. Hirani TLP:GREEN
CVE-2025-68143 CVE-2026-27735

Executive Summary

What: CVE-2025-68143 is a medium-severity path traversal vulnerability (CVSS 6.5 v4.0, CWE-22) in the git_init tool of mcp-server-git, the Python-based Model Context Protocol (MCP) reference server for Git operations (NVD, PyPI). Versions prior to 2025.9.25 are affected; the fix is available in version 2025.9.25 (GHSA-5cgr-j3jf-jw3v). The vulnerability allowed the git_init tool to create Git repositories at arbitrary filesystem paths without any validation of the target location (GHSA-5cgr-j3jf-jw3v). The remediation removed the git_init tool entirely, consolidating all remaining operations to require a pre-existing repository (commit eac56e7).

So What: This is the second path traversal CVE in the MCP Git server reference implementation, following CVE-2026-27735 in the git_add tool (RAXE-2026-014). The git_init vulnerability is distinct because it was the only tool that could extend the attack surface to new filesystem locations -- all other MCP Git tools required a pre-existing repository. Once a repository was initialised at an unintended path, subsequent operations (git_add, git_diff, git_commit) could be performed against that directory, amplifying the impact beyond the initial path traversal (GHSA-5cgr-j3jf-jw3v). In an agentic deployment, a prompt-injected AI agent could invoke git_init with a traversal path, making the agent an unwitting vehicle for arbitrary filesystem manipulation via the MCP tool-execution layer (RAXE assessment).

Now What: Organisations deploying MCP servers should upgrade mcp-server-git to version 2025.9.25 or later immediately (GHSA-5cgr-j3jf-jw3v). Security teams should audit MCP tool invocation logs for any historical git_init calls targeting paths outside expected working directories and deploy the detection signatures provided in this advisory.

Risk Rating

Dimension Rating Detail
Severity MEDIUM CVSS v4.0: 6.5 (NVD). Note: this is a CVSS v4.0 score; no v3.1 score is available from NVD at time of writing. The v4.0 score is recorded as-is.
Urgency HIGH Patch is available (version 2025.9.25, confirmed on PyPI). The vulnerable git_init tool has been removed entirely (GHSA-5cgr-j3jf-jw3v).
Scope MODERATE Affects the official MCP reference implementation (mcp-server-git pip package), maintained under the Model Context Protocol project. The MCP specification is an emerging standard for AI agent tool integration; the reference implementation is a widely referenced starting point for deployments (RAXE assessment).
Confidence CONFIRMED CVE assigned (NVD), vendor advisory published (GHSA-5cgr-j3jf-jw3v), fix merged (commit eac56e7), patched version released on PyPI (PyPI).
Business Impact MODERATE Successful exploitation enables creation of Git repositories at arbitrary filesystem locations accessible to the server process. Subsequent Git operations could expose file contents (NVD: SC:H), modify files (NVD: SI:H), or disrupt operations (NVD: SA:H) within the target directory. Impact is bounded by the MCP server process's privilege level.

Affected Products

Product Registry Affected Versions Fixed Version Source
mcp-server-git PyPI < 2025.9.25 2025.9.25 GHSA-5cgr-j3jf-jw3v

Am I Affected?

  1. Check if you use mcp-server-git:
   pip show mcp-server-git

If this returns package information, you have the package installed.

  1. Check your installed version:
   pip show mcp-server-git | grep Version

If the version is below 2025.9.25, you are affected (GHSA-5cgr-j3jf-jw3v).

  1. Verify the git_init tool is absent: On a patched server (>= 2025.9.25), invoking git_init will return a "tool not found" error. If the tool responds successfully, the deployment is vulnerable (GHSA-5cgr-j3jf-jw3v).

  2. Upgrade:

   pip install --upgrade mcp-server-git

Abstract

CVE-2025-68143 is a path traversal vulnerability (CWE-22) in the git_init tool exposed by the official Model Context Protocol (MCP) Git server reference implementation. The tool accepted an arbitrary filesystem path via the repo_path parameter and called git.Repo.init(path=repo_path, mkdir=True) without validating that the target path fell within a permitted working directory (GHSA-5cgr-j3jf-jw3v, commit eac56e7). Unlike all other tools in the MCP Git server -- which required an existing repository -- git_init could operate on any directory accessible to the server process, creating a .git/ directory at the attacker-specified location (GHSA-5cgr-j3jf-jw3v). Once a repository was initialised at an unintended path, subsequent MCP Git tools (git_add, git_commit, git_diff) could operate against that directory, because it now contained a valid repository (commit eac56e7). The fix in version 2025.9.25 removed the git_init tool entirely rather than adding path validation (commit eac56e7). This is the second path traversal CVE in the MCP Git server reference implementation, following CVE-2026-27735 in git_add (RAXE-2026-014). The finding maps to MITRE ATLAS technique AML.T0053 (AI Agent Tool Invocation). The repeated pattern of path validation failures in MCP reference servers indicates, in RAXE assessment, a systemic weakness in the tool-execution layer of AI agent infrastructure.

Key Findings

  1. Path traversal via unrestricted git_init (confirmed). The git_init tool in mcp-server-git versions prior to 2025.9.25 accepted arbitrary filesystem paths and created Git repositories without validation. The underlying call was git.Repo.init(path=repo_path, mkdir=True), where repo_path was attacker-controlled and mkdir=True permitted directory creation (GHSA-5cgr-j3jf-jw3v, commit eac56e7).

  2. Unique attack surface expansion capability (confirmed). The git_init tool was the only tool in the MCP Git server that did not require a pre-existing repository. This made it the single entry point capable of extending the attack surface to new filesystem locations. All other tools operated within existing repositories (commit eac56e7).

  3. Follow-on operations amplify impact (RAXE assessment). Once a .git/ directory was created at a target path, that path satisfied the precondition required by all other MCP Git tools. An attacker could then invoke git_add to stage files, git_diff to read file contents, or git_commit to record changes -- all within the newly initialised directory. The CVSS v4.0 vector reflects this amplification: while direct impact on the vulnerable system is rated None (VC/VI/VA:N), subsequent system impact is rated High across all three dimensions (SC/SI/SA:H) (NVD).

  4. Second MCP Git server path traversal CVE (confirmed). CVE-2025-68143 follows CVE-2026-27735 (GHSA-vjqx-cfc4-9h6v), a path traversal in the git_add tool within the same MCP Git server (RAXE-2026-014). Together, these represent a two-step attack chain: initialise a repository at a sensitive path via git_init, then stage or read files via git_add (RAXE assessment).

  5. Agentic delivery vector (RAXE assessment). In an MCP deployment, the AI agent is the caller of the git_init tool. A prompt injection attack could instruct the agent to invoke git_init with a path pointing to a sensitive directory. The MCP server has no mechanism to distinguish between a legitimate tool invocation and one driven by prompt injection (RAXE assessment).

  6. Patch removes the tool entirely (confirmed). The fix did not add path validation to git_init; it removed the tool completely from the server, along with its associated class, enum value, and handler logic (+5, -23 lines in server.py) (commit eac56e7).

Attack Flow

+---------------------+       +--------------------+       +-------------------+
|   ADVERSARY INPUT   |       |     AI AGENT       |       |   MCP GIT SERVER  |
|                     |       |                    |       |                   |
|  Malicious document |       | Processes prompt   |       | Receives tool     |
|  or user message    +------>+ injection payload  +------>+ invocation via    |
|  containing prompt  |       |                    |       | MCP protocol      |
|  injection payload  |       | Agent interprets   |       |                   |
|                     |       | instruction as     |       | tools/call:       |
| "Initialise a repo  |       | legitimate tool    |       |   git_init        |
|  at /etc/config"   |       | request            |       |   repo_path:      |
|                     |       |                    |       |   /etc/config     |
|                     |       | Invokes git_init   |       |                   |
|                     |       | via MCP protocol   |       |                   |
+---------------------+       +--------------------+       +--------+----------+
                                                                    |
                                                                    v
                                                           +--------+----------+
                                                           | PATH VALIDATION   |
                                                           |                   |
                                                           | git_init does NOT |
                                                           | validate repo_path|
                                                           | against any       |
                                                           | boundary          |
                                                           |                   |
                                                           | Calls:            |
                                                           | git.Repo.init(    |
                                                           |   path=repo_path, |
                                                           |   mkdir=True)     |
                                                           +--------+----------+
                                                                    |
                                                           (GHSA-5cgr-j3jf-jw3v)
                                                                    |
                                                                    v
                                                           +--------+----------+
                                                           | REPOSITORY        |
                                                           | CREATED           |
                                                           |                   |
                                                           | .git/ directory   |
                                                           | created at        |
                                                           | /etc/config/.git/ |
                                                           |                   |
                                                           | Target directory  |
                                                           | is now a valid    |
                                                           | Git repository    |
                                                           +--------+----------+
                                                                    |
                                                           (commit eac56e7)
                                                                    |
                                                                    v
                                                           +--------+----------+
                                                           | FOLLOW-ON         |
                                                           | OPERATIONS        |
                                                           |                   |
                                                           | git_add: stage    |
                                                           |   files from      |
                                                           |   target dir      |
                                                           | git_diff: read    |
                                                           |   file contents   |
                                                           | git_commit: alter |
                                                           |   directory state |
                                                           |                   |
                                                           | IMPACT:           |
                                                           | SC:H SI:H SA:H   |
                                                           | (NVD)             |
                                                           +-------------------+

Attack Chain: MITRE ATLAS AML.T0053 (AI Agent Tool Invocation)

  Step 1: Adversary crafts prompt injection payload with target path (RAXE assessment)
  Step 2: AI agent processes payload, treats it as legitimate tool request (RAXE assessment)
  Step 3: Agent invokes git_init via MCP protocol with attacker-controlled repo_path (RAXE assessment)
  Step 4: MCP server lacks path validation; creates .git/ at target location (GHSA-5cgr-j3jf-jw3v)
  Step 5: Target directory now satisfies preconditions for all other MCP Git tools (commit eac56e7)
  Step 6: Follow-on tools (git_add, git_diff, git_commit) operate on target directory (RAXE assessment)

Technical Details

Vulnerability Mechanism

CVE-2025-68143 is a path traversal (CWE-22 per NVD; CWE-36 per GHSA-5cgr-j3jf-jw3v) vulnerability in the git_init tool implementation within the MCP Git server. The tool used GitPython's git.Repo.init() to create repositories and did not enforce any path boundary validation (GHSA-5cgr-j3jf-jw3v, commit eac56e7).

Normal operation: An AI agent or user connected to an MCP Git server invokes the git_init tool with a repo_path parameter to initialise a new Git repository at a specified location. The MCP protocol defines the tool invocation as a structured message (tools/call) with the tool name and arguments.

Exploitation: An attacker (or a prompt-injected AI agent) supplies a repo_path value pointing to a sensitive or unintended directory accessible to the MCP server process. Because no validation was applied, paths of the following forms were all accepted (GHSA-5cgr-j3jf-jw3v):

  • Absolute paths to sensitive directories (e.g., /etc/config, /root)
  • Paths using ../ sequences to escape any assumed working directory
  • Any directory accessible to the server process, regardless of its purpose

The call git.Repo.init(path=repo_path, mkdir=True) would create the directory tree and a .git/ subdirectory at the target location, establishing a valid Git repository (commit eac56e7).

CVSS v4.0 Vector Analysis

The CVSS v4.0 vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (NVD) is interpreted as follows:

CVSS Element Value Interpretation
AV:N Network MCP server reachable over network or local socket (NVD)
AC:L Low complexity No special conditions; arbitrary path string is sufficient (NVD)
AT:N No attack requirements No preconditions beyond network access (NVD)
PR:N No privileges Tool invocation requires no authentication by default (NVD)
UI:P Passive user interaction The AI agent acts on injected input without explicit human approval (NVD)
VC/VI/VA:N No direct impact The vulnerable system (MCP server itself) is not directly compromised (NVD)
SC:H High subsequent confidentiality Files in the target directory become readable via follow-on tools (NVD)
SI:H High subsequent integrity Files in the target directory can be staged or committed (NVD)
SA:H High subsequent availability Creating .git/ in critical paths may disrupt operations (NVD)

This scoring pattern reflects an attack that uses the MCP server as a conduit to affect the broader filesystem (NVD).

CWE Classification

NVD classifies this vulnerability under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), while the GHSA advisory classifies it under CWE-36 (Absolute Path Traversal) (NVD, GHSA-5cgr-j3jf-jw3v). CWE-36 is a child of CWE-22; both are applicable. The core weakness is that the git_init tool accepted attacker-controlled filesystem paths without boundary validation.

The Agentic Dimension (RAXE Assessment)

The following analysis extends beyond the scope of the CVE/GHSA advisory, which describes the path traversal itself. In an MCP deployment:

  • The AI agent is the caller of the git_init tool. The MCP server receives tool invocations from the agent via the MCP protocol.
  • The agent constructs tool arguments based on its context, which includes user messages, document contents, and other inputs.
  • If an adversary can influence the agent's context through prompt injection, the adversary can control the repo_path argument passed to git_init.
  • The MCP server has no mechanism to distinguish between a legitimate tool invocation and one driven by prompt injection. It trusts the agent's request.
  • The UI:P (passive user interaction) CVSS rating reflects this reality: the AI agent itself acts as the user, and a prompt injection attack satisfies this requirement without any legitimate user action.
  • The git_init tool was uniquely dangerous in this context because it was the only tool that did not require a pre-existing repository, making it the entry point for extending the attack surface to entirely new filesystem locations (commit eac56e7).

Two-Step Attack Chain (Cross-Reference: RAXE-2026-014)

The combination of CVE-2025-68143 (git_init path traversal) and CVE-2026-27735 (git_add path traversal, GHSA-vjqx-cfc4-9h6v) creates a two-step attack chain (RAXE assessment):

Step Tool CVE Action Impact
1 git_init CVE-2025-68143 Create .git/ at a sensitive target path Extends repository scope to the target directory
2 git_add CVE-2026-27735 Stage files within the newly initialised repository Exposes file contents to subsequent git_diff/git_log calls

This chain requires the attacker to sustain prompt injection or API access across sequential tool invocations (RAXE assessment).

Fix Analysis

The fix (commit eac56e7, authored by @0dd, reported by yardenporat via HackerOne) removed the git_init tool entirely from mcp-server-git version 2025.9.25 (GHSA-5cgr-j3jf-jw3v):

  • Removed the GitInit Pydantic model (parameter class for repo_path)
  • Removed the INIT value from the GitTools enumeration
  • Removed the git_init() function containing the git.Repo.init() call
  • Removed the Tool definition that exposed git_init as an available MCP tool
  • Removed the special-case logic in call_tool() that handled git_init separately (because it did not require an existing repository)
  • Net change: +5 lines, -23 lines in server.py

The fix consolidates all remaining tools to require a pre-existing repository, eliminating the unique attack surface expansion capability of git_init (commit eac56e7).

Confidence & Validation

Assessment Confidence: Confirmed

Aspect Status Detail
Vendor Advisory Yes GHSA-5cgr-j3jf-jw3v published by the MCP servers repository maintainers, reported by yardenporat via HackerOne (GHSA-5cgr-j3jf-jw3v)
CVE Assigned Yes CVE-2025-68143 (NVD), published 2025-12-17 (NVD)
CVSS Score 6.5 v4.0 MEDIUM CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (NVD)
PoC Available Conceptual Attack mechanism is documented from the advisory and commit diff; no public exploit code (RAXE assessment)
Patch Available Yes Fixed in mcp-server-git 2025.9.25 (PyPI), commit eac56e7 (GHSA-5cgr-j3jf-jw3v)
Exploited in Wild No evidence No public reports of exploitation in the wild at time of writing
EPSS 0.156%, 36th percentile Low predicted exploitation probability (FIRST EPSS)

Source Reliability

Source Type Admiralty Grade Key Data
NVD/NIST CVE database A1 CVE-2025-68143: CWE-22, CVSS 6.5 v4.0, published 2025-12-17
GHSA-5cgr-j3jf-jw3v Vendor advisory A1 mcp-server-git < 2025.9.25, fixed 2025.9.25, moderate severity, CWE-36
Commit eac56e7 Patch A1 Removal of git_init tool (+5, -23 lines in server.py)
PyPI Package registry A1 mcp-server-git 2025.9.25 released 2025-09-25
FIRST EPSS Exploit prediction B2 0.156% probability, 36th percentile

Detection Signatures (Formal Rules)

Four Sigma detection rules have been developed for this vulnerability. These rules cover process-level, filesystem-level, and sequential-behaviour detection.

Detection Limitations: These rules are marked experimental and should be tuned before production deployment. Rule 2 (sensitive-path git init) and Rule 3 (.git directory creation in sensitive paths) will generate false positives in environments where repositories are legitimately initialised in system directories -- container image builds, CI/CD runners using /tmp, developer provisioning tools under /opt or /srv, and package managers that use Git internally. Rule 4 (sequential git init + follow-on operation) relies on temporal correlation within a 30-second window; automated repository bootstrapping scripts (e.g., cookiecutter, scaffold tooling) will trigger this rule. Organisations should baseline their environment's normal git init activity before deploying these rules at high alert level. Rule 1 (MCP server parent process) is the most precise but requires the telemetry source to capture ParentImage reliably.

Sigma Rule 1 -- MCP Server Process Spawns git init

Detects the mcp-server-git process spawning a git init subprocess. In versions >= 2025.9.25, the git_init tool was removed entirely; any git init invocation from this parent process on a patched deployment is unexpected (commit eac56e7).

title: MCP Server Process Spawns git init
id: 8b1a4e7c-5f2d-4c89-a3b1-0d6e9f2c8a47
status: experimental
description: >
  Detects the mcp-server-git process spawning a git init subprocess, which indicates
  the vulnerable git_init tool (CVE-2025-68143) may be active. In versions >= 2025.9.25
  the git_init tool was removed entirely (commit eac56e7); any git init invocation from
  this parent process on a patched deployment is unexpected.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-68143
  - https://github.com/advisories/GHSA-5cgr-j3jf-jw3v
  - https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
tags:
  - attack.execution
  - cve.2025-68143
  - cwe.22
  - atlas.AML.T0053
author: RAXE Labs
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  selection:
    ParentImage|contains:
      - 'mcp-server-git'
      - 'mcp_server_git'
    Image|endswith:
      - '/git'
      - '\git.exe'
    CommandLine|contains: 'init'
  condition: selection
falsepositives:
  - Legitimate git init operations performed by the MCP server in pre-patch versions
    within expected working directories (upgrade to 2025.9.25 eliminates the tool entirely)
level: high

Sigma Rule 2 -- git init Targeting Sensitive or Unexpected Directories

Detects git init invocations targeting sensitive system directories or using path traversal sequences (GHSA-5cgr-j3jf-jw3v).

title: git init Command Targeting Sensitive System Directories
id: 3c7f1b9e-8a4d-4e12-b6c5-2f0a7d3e5b91
status: experimental
description: >
  Detects git init invocations targeting sensitive system directories or using
  path traversal sequences. This behaviour matches the attack pattern described in
  CVE-2025-68143, where the mcp-server-git git_init tool accepted arbitrary repo_path
  values without validation (GHSA-5cgr-j3jf-jw3v).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-68143
  - https://github.com/advisories/GHSA-5cgr-j3jf-jw3v
  - https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
tags:
  - attack.execution
  - attack.t1083
  - cve.2025-68143
  - cwe.22
  - atlas.AML.T0053
author: RAXE Labs
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  selection_cmd:
    Image|endswith:
      - '/git'
      - '\git.exe'
    CommandLine|contains: 'init'
  selection_sensitive_path:
    CommandLine|contains:
      - ' /etc'
      - ' /root'
      - ' /home'
      - ' /var'
      - ' /usr'
      - ' /bin'
      - ' /sbin'
      - ' /lib'
      - ' /proc'
      - ' /sys'
      - ' /boot'
      - ' /tmp'
      - ' /opt'
      - ' /srv'
      - ' C:\Windows'
      - ' C:\Program Files'
      - ' C:\Users'
      - ' C:\ProgramData'
  selection_traversal:
    CommandLine|contains:
      - '../'
      - '..\\'
      - '%2e%2e%2f'
      - '%2e%2e/'
  condition: selection_cmd and (selection_sensitive_path or selection_traversal)
falsepositives:
  - Developers legitimately initialising repositories in home directories (/home/user/project);
    tune exclusions to known developer working directories
  - Automated CI/CD pipelines that initialise repos in /tmp for ephemeral builds;
    exclude known CI runner parent processes
level: high

Sigma Rule 3 -- .git Directory Created in Sensitive Filesystem Location

Detects creation of a .git/ directory at a sensitive or unexpected filesystem path -- the direct artefact of successful CVE-2025-68143 exploitation (commit eac56e7, GHSA-5cgr-j3jf-jw3v). Note: This rule monitors filesystem events for .git directory creation and can be noisy in environments with container builds, package managers, or CI/CD pipelines that legitimately initialise repositories in system paths. Correlate alerts with MCP server process context (Rule 1) to reduce false positives.

title: .git Directory Created in Sensitive or Unexpected Filesystem Location
id: 6d2e8f0a-1c5b-4a73-9e4f-7b3d0c1a2e85
status: experimental
description: >
  Detects creation of a .git directory in a sensitive or unexpected filesystem path.
  This is the direct filesystem artefact of a successful CVE-2025-68143 exploitation:
  the mcp-server-git git_init tool called git.Repo.init(path=repo_path, mkdir=True),
  creating a .git/ subdirectory at the attacker-supplied path (commit eac56e7,
  GHSA-5cgr-j3jf-jw3v).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-68143
  - https://github.com/advisories/GHSA-5cgr-j3jf-jw3v
  - https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
tags:
  - attack.persistence
  - cve.2025-68143
  - cwe.22
  - atlas.AML.T0053
author: RAXE Labs
date: 2026-03-09
logsource:
  category: file_event
  product: linux
detection:
  selection:
    TargetFilename|contains:
      - '/etc/.git'
      - '/root/.git'
      - '/home/.git'
      - '/var/.git'
      - '/usr/.git'
      - '/bin/.git'
      - '/sbin/.git'
      - '/lib/.git'
      - '/proc/.git'
      - '/sys/.git'
      - '/boot/.git'
      - '/opt/.git'
      - '/srv/.git'
  condition: selection
falsepositives:
  - Intentional repository initialisation in /opt or /srv for self-hosted tooling deployments;
    verify against known application provisioning events
  - Container image build steps that initialise repos in system paths
level: high

Sigma Rule 4 -- Sequential git init Followed by Follow-on Git Operations

Detects a rapid sequence of git init followed by git add, git commit, or git diff -- the two-step attack chain enabled by this CVE in combination with follow-on MCP Git tools (commit eac56e7, RAXE assessment).

title: Rapid Sequence of git init and Follow-on Git Operations (MCP Attack Chain)
id: 9e4a2b1f-7c3d-4f56-8a0e-1d5b6c7e9f23
status: experimental
description: >
  Detects a rapid sequence of git init followed by git add, git commit, or git diff
  within a short window. This matches the two-step attack chain documented in
  RAXE-2026-021: an attacker first uses CVE-2025-68143 (git_init path traversal) to
  seed a repository at a sensitive path, then leverages follow-on MCP Git tools
  to stage or exfiltrate files (commit eac56e7, RAXE assessment).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-68143
  - https://github.com/advisories/GHSA-5cgr-j3jf-jw3v
  - https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6
tags:
  - attack.execution
  - attack.collection
  - cve.2025-68143
  - cwe.22
  - atlas.AML.T0053
author: RAXE Labs
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  git_init:
    Image|endswith: '/git'
    CommandLine|contains: 'init'
  git_followon:
    Image|endswith: '/git'
    CommandLine|contains:
      - ' add '
      - ' commit '
      - ' diff '
      - ' log '
  timeframe: 30s
  condition: git_init | near git_followon
falsepositives:
  - Automated repository bootstrapping scripts that immediately stage initial files after
    git init (e.g., cookiecutter templates, scaffold tooling); reduce scope by correlating
    with MCP server parent process
  - CI/CD pipeline steps that initialise and immediately commit in a single job step
level: medium

Supplementary: Splunk SPL Query

For environments using Splunk with process creation logs:

index=os_logs sourcetype="process_creation"
| where match(ParentImage, "(mcp.server.git|mcp_server_git)")
  AND match(Image, "git(\.exe)?$")
  AND match(CommandLine, "init")
| table _time, host, ParentImage, Image, CommandLine
| eval alert="CVE-2025-68143: MCP server git_init invocation detected"

Detection & Mitigation

Immediate Remediation

  1. Upgrade mcp-server-git to version 2025.9.25 or later. This is the primary remediation. The fix removes the git_init tool entirely, eliminating the attack surface. Verify the upgrade (GHSA-5cgr-j3jf-jw3v):
   pip install --upgrade mcp-server-git
   pip show mcp-server-git | grep Version
  1. Audit MCP tool invocation logs. Review existing logs for evidence of git_init invocations targeting paths outside expected working directories. Search for:
  2. git_init tool calls with repo_path containing ../ sequences

  3. git_init tool calls with absolute paths pointing to sensitive directories (/etc/, /root/, /home/, /var/)

  4. Check for anomalous .git/ directories. Scan the filesystem for .git/ directories in unexpected locations, which would indicate past exploitation:

   find /etc /root /var /usr /opt -name ".git" -type d 2>/dev/null

Ongoing Detection

  1. Deploy the Sigma detection rules (Rules 1-4) provided in the Detection Signatures section. These rules cover:
  2. Process-level monitoring of git init spawned by the MCP server process (Rule 1)
  3. Process-level monitoring of git init targeting sensitive paths (Rule 2)
  4. Filesystem-level monitoring for .git/ directory creation in sensitive locations (Rule 3)

  5. Sequential-behaviour monitoring for the git_init-to-follow-on-tool attack chain (Rule 4)

  6. Implement MCP tool invocation logging if not already in place. Ensure all tools/call events are logged with the tool name, arguments, and the identity of the invoking agent.

Hardening Guidance

  1. Run MCP servers with least privilege. Ensure the MCP server process does not have filesystem permissions beyond what is required for the configured repository. Use dedicated service accounts with restricted file access.

  2. Cross-reference with RAXE-2026-014 (CVE-2026-27735). Organisations vulnerable to git_init path traversal are likely also vulnerable to the git_add path traversal. Both vulnerabilities affect the same MCP Git server package. Ensure the installed version addresses both CVEs.

  3. Monitor AI agent behaviour for prompt injection. The agentic attack vector relies on prompt injection to control the agent's tool invocations. Deploy prompt injection detection on the AI agent layer as an additional defence-in-depth measure (RAXE assessment).

Indicators of Compromise

Type Indicator Context
Behavioural MCP tool invocation log entry for git_init with repo_path value containing ../ or an absolute path outside the server's configured working directory Path traversal attempt via MCP tool invocation (GHSA-5cgr-j3jf-jw3v)
Behavioural Creation of a .git/ subdirectory in a filesystem location with no prior repository history, particularly in system-owned directories Direct filesystem artefact of successful exploitation (commit eac56e7)
Behavioural A git_init MCP tool invocation immediately followed (within seconds) by git_add, git_commit, or git_diff targeting the same newly created path Two-step attack chain enabled by CVE-2025-68143 + follow-on MCP tools (RAXE assessment)
Behavioural Any git_init tool invocation on a patched deployment (>= 2025.9.25) The tool was removed in the fix; its invocation on a patched server is anomalous (commit eac56e7)
Behavioural URL-encoded traversal sequences (%2e%2e%2f) in MCP tool arguments for git_init Evasion technique: URL-encoding the ../ pattern to bypass simple string matching (RAXE assessment)

Note: All indicators are behavioural or filesystem-based. There are no hash-based or network-based indicators for this vulnerability, as exploitation occurs through MCP protocol-level tool invocations.

Strategic Context

Repeated Path Validation Failures in MCP Reference Servers

CVE-2025-68143 is the second path traversal vulnerability discovered in the official MCP Git server reference implementation. The first, CVE-2026-27735 (GHSA-vjqx-cfc4-9h6v), affected the git_add tool and was fixed in version 2026.1.14 via PR #3164 (RAXE-2026-014). Both vulnerabilities share the same root cause: the MCP server accepted attacker-controlled filesystem paths without boundary validation. The fact that two distinct tools in the same server exhibited the same class of weakness suggests, in RAXE assessment, that path validation was not systematically applied across the server's tool implementations.

MCP Tool Capability Classes

The git_init vulnerability highlights a distinction between two classes of MCP tools that has security implications (RAXE assessment):

  • Boundary-respecting tools -- tools that operate within an existing resource (e.g., git_add within an existing repository, read_file within a configured directory). These have a natural scope boundary, even if that boundary may be bypassed via traversal sequences.
  • Boundary-extending tools -- tools that create new resources (e.g., git_init creating a new repository, mkdir creating a new directory). These expand the attack surface to new filesystem locations and require stricter validation because they establish new scope boundaries.

The git_init tool belonged to the second class. Its removal from the server (commit eac56e7) eliminates the only boundary-extending tool, but the classification is applicable to MCP server implementations broadly. Any MCP tool that can create new resources should be subject to elevated security scrutiny (RAXE assessment).

Agentic Trust Boundary Implications

The CVSS v4.0 vector's UI:P (passive user interaction) rating reflects a structural characteristic of AI agent deployments: the agent acts on inputs without explicit human approval for each tool invocation. In the context of this vulnerability, this means a prompt injection attack satisfies the UI:P requirement without any legitimate user action (RAXE assessment).

This trust model -- where the AI agent trusts its input context, and the MCP server trusts the AI agent -- creates a gap that neither layer independently validates. As MCP adoption grows, closing this gap will require either protocol-level scope constraints, per-tool path validation at the server layer, or human-in-the-loop confirmation for high-risk operations (RAXE assessment).

Forward Outlook

The pattern of path validation failures in MCP reference servers, combined with the WeKnora MCP stdio command injection (CVE-2026-30861, RAXE-2026-018), reinforces what RAXE Labs assesses to be a systemic risk in the AI agent tool-execution layer. As organisations accelerate MCP adoption, the attack surface will expand proportionally. Detection capabilities for MCP tool invocation abuse -- particularly for boundary-extending operations -- represent a significant opportunity for enterprise AI security vendors (RAXE assessment).

References

  1. CVE-2025-68143: MCP Server git_init Path Traversal -- CVSS 6.5 v4.0 (NVD)
  2. GHSA-5cgr-j3jf-jw3v: mcp-server-git Unrestricted git_init Tool (GitHub Security Advisory)
  3. GHSA-5cgr-j3jf-jw3v: Vendor Security Advisory (GitHub)
  4. Fix commit eac56e7: Removal of git_init tool (GitHub)
  5. mcp-server-git on PyPI (PyPI)
  6. MITRE ATLAS: AML.T0053 -- AI Agent Tool Invocation (MITRE)
  7. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (MITRE CWE)
  8. CWE-36: Absolute Path Traversal (MITRE CWE)
  9. CVE-2026-27735 / GHSA-vjqx-cfc4-9h6v: MCP Git Server git_add Path Traversal (RAXE-2026-014) (GitHub)
  10. FIRST EPSS: CVE-2025-68143 (FIRST)