Critical Vulnerabilities in Anthropic’s MCP Git Server Expose Systems to Remote Code Execution
Recent security assessments have uncovered three significant vulnerabilities in Anthropic’s mcp-server-git, the official Git Model Context Protocol (MCP) server. These flaws could potentially allow unauthorized access to files and enable remote code execution under specific conditions.
Understanding the Vulnerabilities
The mcp-server-git is a Python-based MCP server designed to facilitate programmatic interactions with Git repositories through large language models (LLMs). The identified vulnerabilities, disclosed in June 2025 and subsequently patched in versions 2025.9.25 and 2025.12.18, are as follows:
1. CVE-2025-68143 (CVSS score: 8.8 [v3] / 6.5 [v4]): This path traversal vulnerability arises from the git_init tool’s acceptance of arbitrary file system paths during repository creation without proper validation. An attacker could exploit this to create repositories in unintended directories, potentially leading to unauthorized file access or modification. This issue was addressed in version 2025.9.25.
2. CVE-2025-68144 (CVSS score: 8.1 [v3] / 6.4 [v4]): This argument injection vulnerability is due to the git_diff and git_checkout functions passing user-controlled arguments directly to Git CLI commands without adequate sanitization. Exploitation could allow attackers to execute arbitrary commands, leading to unauthorized actions within the system. The fix was implemented in version 2025.12.18.
3. CVE-2025-68145 (CVSS score: 7.1 [v3] / 6.3 [v4]): Another path traversal issue, this vulnerability stems from inadequate path validation when using the –repository flag to limit operations to a specific repository path. Attackers could exploit this to access or modify repositories beyond the intended scope. This vulnerability was also patched in version 2025.12.18.
Potential Exploitation Scenarios
These vulnerabilities can be exploited through prompt injection attacks. An attacker could manipulate the content an AI assistant processes—such as a malicious README file, a compromised issue description, or a tampered webpage—to trigger these flaws without needing direct access to the victim’s system.
In a documented attack scenario, the vulnerabilities were chained with the Filesystem MCP server to achieve remote code execution:
1. Repository Creation:
– Utilize git_init to create a repository in a writable directory.
2. Malicious Configuration:
– Employ the Filesystem MCP server to write a malicious .git/config file containing a clean filter.
3. Attribute Application:
– Create a .gitattributes file to apply the filter to specific files.
4. Payload Preparation:
– Write a shell script containing the payload.
5. Trigger Setup:
– Create a file that activates the filter.
6. Execution:
– Invoke git_add, which executes the clean filter, thereby running the payload.
Mitigation Measures
In response to these findings, Anthropic has taken the following actions:
– Removal of git_init Tool: The git_init tool has been removed from the package to eliminate the associated path traversal vulnerability.
– Enhanced Validation: Additional validation measures have been implemented to prevent path traversal exploits.
Users are strongly advised to update to the latest version of the mcp-server-git package to ensure optimal protection against these vulnerabilities.
Broader Implications
Shahar Tal, CEO and co-founder of Agentic AI security company Cyata, emphasized the significance of these findings:
This is the canonical Git MCP server, the one developers are expected to copy. If security boundaries break down even in the reference implementation, it’s a signal that the entire MCP ecosystem needs deeper scrutiny. These are not edge cases or exotic configurations; they work out of the box.
This underscores the necessity for rigorous security assessments and proactive measures within the MCP ecosystem to prevent potential exploits.
Conclusion
The discovery of these vulnerabilities in Anthropic’s mcp-server-git highlights the critical importance of continuous security evaluations in software development. Prompt identification and remediation of such issues are essential to safeguard systems against unauthorized access and potential code execution threats.
