Anthropic's official Git MCP server contains multiple security vulnerabilities enabling file read/write and potential remote code execution

Odaily News Three security vulnerabilities have been discovered in the official mcp-server-git maintained by Anthropic. These vulnerabilities can be exploited through prompt injection attacks, allowing attackers to trigger them via malicious README files or compromised webpages without requiring direct access to the victim's system.

The vulnerabilities include: CVE-2025-68143 (unrestricted git_init), CVE-2025-68145 (path validation bypass), and CVE-2025-68144 (argument injection in git_diff). When combined with a filesystem MCP server, these vulnerabilities could allow attackers to execute arbitrary code, delete system files, or read the contents of arbitrary files into the large language model's context.

Cyata noted that because mcp-server-git does not perform path validation on the repo_path parameter, attackers can create Git repositories in any directory on the system. Furthermore, by configuring a clean filter in .git/config, attackers can run shell commands without requiring execution permissions. Anthropic assigned CVE identifiers and submitted fixes on December 17, 2025. Users are advised to update mcp-server-git to version 2025.12.18 or later. (cyata)