mcp-server-git, Path Traversal, CVE-2025-XXXX (Moderate)

Listen to this Post

The vulnerability in mcp-server-git‘s `git_init` tool functioned as a path traversal and authorization bypass. Unlike other tools in the server that required operations within an existing, validated repository, the `git_init` command accepted any user-supplied filesystem path without proper validation. The server’s core security model was designed to restrict operations to predefined allowed directories, often checked via a naive string prefix match (e.g., normalizedRequested.startsWith(allowedDir)). However, the `git_init` tool lacked this containment check entirely. This allowed an attacker to specify an absolute path to any directory writable by the server process. Successful execution would create a new Git repository at that arbitrary location. Once created, this directory effectively became a “valid” repository, potentially making it eligible for subsequent Git operations through other server tools, thereby circumventing the intended sandbox. The issue was fundamentally an improper access control flaw, where a tool meant for initialization incorrectly assumed it should operate outside the configured security boundaries.
Platform: mcp-server-git
Version: Prior to 2025.9.25
Vulnerability: Path Traversal
Severity: Moderate
Date: 2025-12-17

Prediction: 2025-09-25 (Patched)

What Undercode Say:

Example of a vulnerable path prefix check (from similar MCP flaw)
const isAllowed = allowedDirectories.some(dir => normalizedRequested.startsWith(dir));
Constructing a git init command with user-controlled path (conceptual example)
command = <code>git init -b "main" "${userControlledPath}"</code>;
await execAsync(command);

How Exploit:

Attacker sends a request to the `git_init` tool with a target path argument set to a sensitive directory (e.g., `/etc/` or /home/user/). The server process, often running with elevated privileges for convenience, executes the `git init` command at that location. This creates a `.git` folder in the target directory. The attacker can then potentially use other Git tools to interact with this newly created repository, leading to unauthorized file system access or data exfiltration.

Protection from this CVE:

Upgrade to version 2025.9.25 or newer, where the `git_init` tool has been completely removed, as the server is designed to operate solely on existing repositories. Adhere strictly to the Principle of Least Privilege (PLP) by running the MCP server process with minimal necessary filesystem permissions. Implement robust path validation that resolves symlinks and checks for directory traversal sequences (../) for all tools.

Impact:

Unauthorized Git repository creation at arbitrary filesystem locations accessible to the server process. This can lead to data leakage, corruption of sensitive directories, and a partial sandbox escape by establishing a foothold outside the intended allowed directories. It compromises the integrity of the server’s containment model.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top