Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Security researchers have disclosed three vulnerabilities in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could allow attackers to read, overwrite, or delete arbitrary files and even execute code under specific conditions.

These vulnerabilities are particularly dangerous because they can be triggered through prompt injection, meaning an attacker could exploit them without direct access to the victim’s system—simply by influencing what an AI assistant reads, such as a malicious README file, a poisoned issue description, or a compromised webpage.

About MCP-Server-Git

The mcp-server-git package is a Python-based MCP server that allows large language models (LLMs) to interact programmatically with Git repositories. Its built-in tools can read, search, and manipulate repositories, but the vulnerabilities highlighted gaps in input validation and argument sanitization.

The Vulnerabilities

The flaws, fixed in versions 2025.9.25 and 2025.12.18, are as follows:

1. CVE-2025-68143 – Path Traversal in git_init
   • CVSS v3: 8.8 | CVSS v4: 6.5
   • Allows arbitrary filesystem paths during repository creation without validation.
   • Fixed in version 2025.9.25.
2. CVE-2025-68144 – Argument Injection in git_diff and git_checkout
   • CVSS v3: 8.1 | CVSS v4: 6.4
   • User-controlled arguments passed directly to Git CLI commands without sanitization.
   • Fixed in version 2025.12.18.
3. CVE-2025-68145 – Path Traversal via --repository flag
   • CVSS v3: 7.1 | CVSS v4: 6.3
   • Missing path validation allows operations outside the intended repository.
   • Fixed in version 2025.12.18.

Exploitation Scenario

Researchers demonstrated that these vulnerabilities could be chained to achieve remote code execution (RCE):

1. Use git_init to create a repository in a writable directory.
2. Write a malicious .git/config file via the Filesystem MCP server.
3. Add a .gitattributes file applying a filter to certain files.
4. Write a shell script containing the payload.
5. Add a trigger file to invoke the filter.
6. Execute git_add, which triggers the payload through the clean filter.

Mitigation and Recommendations

Anthropic has removed the vulnerable git_init tool and added additional path validation to prevent path traversal. Users of mcp-server-git are strongly advised to update to the latest version immediately.

“This is the canonical Git MCP server, the one developers are expected to copy,” said Shahar Tal, CEO of Cyata. “If security boundaries break down even in the reference implementation, it signals that the entire MCP ecosystem needs deeper scrutiny. These issues are not edge cases—they work out of the box.”