Critical Vulnerabilities in Anthropic’s Git MCP Server Expose Systems to Code Execution Risks
Recent discoveries have unveiled three zero-day vulnerabilities in Anthropic’s Git Model Context Protocol (MCP) server, known as mcp-server-git. These flaws, stemming from inadequate input validation and argument sanitization in core Git operations, present significant security risks. Attackers can exploit these vulnerabilities to execute arbitrary code, delete files, and exfiltrate sensitive data without direct system access. Organizations utilizing Anthropic’s official MCP servers are urged to update to version 2025.12.18 or later to mitigate these threats.
Understanding the Vulnerabilities
The identified vulnerabilities are:
1. Unrestricted Repository Initialization (CVE-2025-68143): This flaw allows attackers to create Git repositories in arbitrary directories due to the absence of path validation in the git_init tool. By exploiting this, malicious actors can access sensitive files and exfiltrate data into the Large Language Model (LLM) context.
2. Path Validation Bypass (CVE-2025-68145): The git_diff and git_log functions accept repo_path directly from user inputs without proper validation against the –repository flag set during server initialization. This oversight enables attackers to access any Git repository on the filesystem, not just the intended one.
3. Argument Injection (CVE-2025-68144): In this case, the git_diff function passes the target parameter directly to the Git command-line interface without sanitization. Attackers can inject flags like –output to overwrite arbitrary files, potentially leading to file deletion or corruption.
The Attack Chain
These vulnerabilities can be combined to form a potent attack chain:
– Repository Path Bypass: By exploiting CVE-2025-68145, attackers can access any Git repository on the system.
– Unrestricted Initialization: Utilizing CVE-2025-68143, malicious actors can create repositories in sensitive directories, such as /home/user/.ssh.
– Argument Injection: Through CVE-2025-68144, attackers can inject malicious arguments to perform unauthorized file operations.
Furthermore, the integration of the Filesystem MCP server with Git operations amplifies the risk. Attackers can exploit git_init to create a malicious .git/config file with clean/smudge filters—shell commands executed during staging operations. This method allows for arbitrary payload execution without requiring execute permissions, demonstrating how MCP’s interconnected architecture can escalate individual vulnerabilities into a comprehensive system compromise.
Impacted Systems
Any organization running mcp-server-git versions before 2025.12.18 is vulnerable. AI-powered Integrated Development Environments (IDEs) like Cursor, Windsurf, and GitHub Copilot, which operate multiple MCP servers simultaneously, are particularly at risk due to the expanded attack surface. Users of Claude Desktop with Git integration should prioritize updates to prevent potential exploitation.
Mitigation Strategies
To safeguard systems against these vulnerabilities, organizations should:
– Update Software: Upgrade mcp-server-git to version 2025.12.18 or later.
– Audit Integrations: Review MCP server combinations, especially those involving Git and Filesystem integrations.
– Monitor Filesystem: Check for unexpected .git directories outside standard repositories.
– Review Permissions: Apply the principle of least privilege to MCP servers to limit potential exploitation.
– Validate Inputs: Implement stronger input validation in downstream tools to prevent unauthorized access.
Conclusion
The discovery of these vulnerabilities underscores the critical need for robust security measures in AI-powered development environments. As MCP’s interconnected architecture continues to evolve, organizations must remain vigilant, ensuring that all components are regularly updated and that security best practices are rigorously applied to protect against potential threats.
