CVE-2025-53107

Name of the Vulnerable Software and Affected Versions: git-mcp-server versions prior to 2.1.5

Description: A command injection vulnerability exists in the git-mcp-server MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings, introducing the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs.

Recommendations: To resolve the issue, update to version 2.1.5 or later. As a temporary workaround, consider avoiding the use of child process.exec with untrusted input and instead use a safer API such as child process.execFile, which allows passing arguments as a separate array, avoiding shell interpretation entirely. Restrict access to the vulnerable tools (e.g., git add, git init, git logs) to minimize the risk of exploitation. Avoid using the path and initialBranch parameters in the affected API endpoints until the issue is resolved.