tanav.aiScanResearchARDGet Started
Open appTry free scan →
Checkers / CHK-CVE
CHK-CVE
CRITICAL

Manually-verified CVE in a dependency

category: cve · source: manual research (not an automated pattern)
OWASP MCP Top 10MCP-T09Supply Chain Compromise

What it detects

This one is different from the other checkers on this page: it's not a regex or pattern match. CHK-CVE is the tag used when a CVE affecting a dependency has been manually researched and confirmed against the actual repository — as opposed to CHK-034/035/036, which are the automated severity tiers the OSV API lookup assigns to every dependency CVE it finds programmatically.

Manual verification matters here because automated CVE-to-dependency matching has a real false-positive rate (a CVE in a library doesn't always mean the vulnerable code path is reachable). CHK-CVE entries have had that reachability checked by hand before being counted.

Real example

modelcontextprotocol/server-git85k★CONFIRMED

CVE-2025-68143, CVSS 8.8, path traversal. This is the official MCP reference Git server — the one most developers install first, referenced directly in Claude Code's own documentation. A crafted repository path can read files outside the intended directory scope.

How to fix it

Upgrade to the patched version of modelcontextprotocol/server-git

Check the package's CHANGELOG or GitHub releases for the version that fixes CVE-2025-68143 and upgrade to it. For dependency CVEs generally: pin to the fixed version rather than a range, since the vulnerable version may otherwise still resolve in some install paths.

Reference →