Yardenporat

**Name of the Vulnerable Software and Affected Versions** mcp-server-git versions prior to 2025.9.25 mcp-server-git versions prior to 2025.12.18 **Description** The Model Context Protocol Servers, specifically the mcp-server-git component, contains a flaw in the `git init` tool. Prior to version 2025.9.25, this tool permitted the creation of Git repositories at arbitrary filesystem locations without proper validation. This allowed operation on any directory accessible to the server process, potentially enabling subsequent git operations on those directories. The tool has been removed in later versions as the server is intended to operate on existing repositories only. Exploitation of this issue, in conjunction with the Filesystem MCP server, could lead to unauthorized file access and potential remote code execution. The issue can be triggered through prompt injection via malicious content such as README files or issues. **Recommendations** mcp-server-git versions prior to 2025.9.25: Upgrade to version 2025.9.25 or newer. mcp-server-git versions prior to 2025.12.18: Upgrade to version 2025.12.18 or newer.

**Name of the Vulnerable Software and Affected Versions** mcp-server-git versions prior to 2025.12.17 **Description** The `git diff` and `git checkout` functions in mcp-server-git did not properly sanitize user-supplied arguments before passing them to git CLI commands. Specifically, flag-like values, such as `--output=/path/to/file` used with `git diff`, were treated as command-line options instead of git references, potentially allowing arbitrary file overwrites. The fix introduces validation to reject arguments beginning with '-' and verifies that arguments resolve to valid git references using `rev parse` before execution. **Recommendations** Update to version 2025.12.17 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** mcp-server-git versions prior to 2025.12.17 **Description** In mcp-server-git versions prior to 2025.12.17, the server did not validate that `repo path` arguments in subsequent tool calls were within the configured repository path when started with the `--repository` flag. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. **Recommendations** Upgrade to version 2025.12.17 to resolve this issue.