A series of critical security vulnerabilities have been discovered in mcp-server-git, the official Git Model Context Protocol (MCP) server developed by Anthropic. These flaws, detailed in a recent report, could empower attackers to read or delete arbitrary files and, under specific circumstances, execute malicious code on a system. The vulnerabilities underscore the growing security concerns surrounding artificial intelligence (AI) integration into development workflows.
The vulnerabilities were identified by researchers at Cyata, who explained that they can be exploited through prompt injection techniques. This means an attacker does not need direct system access; instead, they can influence what an AI assistant reads by manipulating inputs like malicious README files, poisoned issue descriptions, or compromised web pages. Msc-server-git is a Python package designed to enable large language models (LLMs) to programmatically read, search, and modify Git repositories.
Critical Vulnerabilities in Anthropic’s Git MCP Server
The disclosed security issues have been addressed by Anthropic through updates to the mcp-server-git package. The vulnerabilities were responsibly disclosed in June 2025, leading to fixes in versions 2025.9.25 and 2025.12.18. The identified flaws include:
CVE-2025-68143, with a CVSS score of 8.8 (v3) / 6.5 (v4), is a path traversal vulnerability. This issue stems from the git_init tool accepting arbitrary file system paths during repository creation without adequate validation. This vulnerability was patched in version 2025.9.25.
CVE-2025-68144, rated at 8.1 (v3) / 6.4 (v4) on the CVSS scale, is an argument injection vulnerability. It arises because the git_diff and git_checkout functions pass user-controlled arguments directly to Git CLI commands without proper sanitization. This was resolved in version 2025.12.18.
Finally, CVE-2025-68145, carrying a CVSS score of 7.1 (v3) / 6.3 (v4), is another path traversal vulnerability. This flaw exists due to missing path validation when the --repository flag is used to confine operations to a specific repository path. This was also fixed in version 2025.12.18.
Successful exploitation of these vulnerabilities could allow an attacker to transform any directory on a system into a Git repository, overwrite any file with an empty difference, and gain unauthorized access to any repository hosted on the server. This highlights the potential risks of integrating AI tools with sensitive development infrastructure.
Exploitation Chains and Mitigation Efforts
Cyata researchers demonstrated a specific attack scenario where these three vulnerabilities could be chained together with the Filesystem MCP server to achieve remote code execution. The process involves writing to a .git/config file, typically located within the hidden .git directory of a repository. By carefully orchestrating these steps, an attacker could trigger a call to git_init through prompt injection, leading to the execution of malicious code.
The attack chain as documented involves using git_init to create a repository in a writable directory, followed by using the Filesystem MCP server to inject a malicious configuration into the .git/config file, including a clean filter. A .gitattributes file is then used to direct this filter to specific files. Subsequently, a shell script containing the malicious payload is written, along with a file designed to trigger the filter. Finally, a command like git_add is invoked, which executes the clean filter, thereby running the attacker’s payload.
In response to these findings, Anthropic has taken action to secure the mcp-server-git package. The git_init tool has been removed, and additional validation mechanisms have been implemented to prevent path traversal exploits. Developers utilizing this Python package are strongly advised to update to the latest versions to ensure their systems are protected against these identified security threats.
Shahar Tal, CEO and co-founder of agentic AI security firm Cyata, emphasized the significance of these vulnerabilities. He noted that mcp-server-git is considered the canonical Git MCP server, meaning it serves as a reference for developers. The breakdown of security boundaries even in such a foundational implementation suggests a broader need for thorough examination of the entire MCP ecosystem. These vulnerabilities are not considered obscure or complex edge cases but are reported to be exploitable out-of-the-box.