CVE-2025-68145 (CNNVD-202512-3139)
中文标题:
Model Context Protocol Servers 路径遍历漏洞
英文标题:
mcp-server-git has missing path validation when using --repository flag
漏洞描述
中文描述:
Model Context Protocol Servers是Model Context Protocol开源的一个大模型上下文协议服务器。 Model Context Protocol Servers 2025.12.17之前版本存在路径遍历漏洞,该漏洞源于未验证后续工具调用中的repo_path参数是否在配置的路径内,可能导致对服务器进程可访问的其他仓库进行操作。
英文描述:
In mcp-server-git versions prior to 2025.12.17, when the server is started with the --repository flag to restrict operations to a specific repository path, it did not validate that repo_path arguments in subsequent tool calls were actually within that configured path. This could allow tool calls to operate on other repositories accessible to the server process. The fix adds path validation that resolves both the configured repository and the requested path (following symlinks) and verifies the requested path is within the allowed repository before executing any git operations. Users are advised to upgrade to 2025.12.17 upon release to remediate this issue.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| modelcontextprotocol | servers | < 2025.12.17 | - | - |
cpe:2.3:a:modelcontextprotocol:servers:<_2025.12.17:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-68145 |
2025-12-19 03:24:15 | 2026-01-12 02:12:28 |
| NVD | nvd_CVE-2025-68145 |
2025-12-19 03:25:39 | 2026-01-12 02:28:10 |
| CNNVD | cnnvd_CNNVD-202512-3139 |
2026-01-11 06:15:04 | 2026-01-12 02:38:02 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 路径遍历
- cnnvd_id: 未提取 -> CNNVD-202512-3139
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']