CVE-2025-68144

Name of the Vulnerable Software and Affected Versions mcp-server-git versions prior to 2025.12.17

Description The git diff and git checkout functions in mcp-server-git did not properly sanitize user-supplied arguments before passing them to git CLI commands. Specifically, flag-like values, such as --output=/path/to/file used with git diff, were treated as command-line options instead of git references, potentially allowing arbitrary file overwrites. The fix introduces validation to reject arguments beginning with '-' and verifies that arguments resolve to valid git references using rev parse before execution.

Recommendations Update to version 2025.12.17 to resolve this issue.