A trio of security issues has been identified in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that under specific conditions can be abused to read or delete arbitrary files and execute code.

“These issues are reachable via prompt injection, so an adversary who can control what an AI assistant ingests (for example, a malicious README, a tampered issue description, or a booby-trapped webpage) can turn these vulnerabilities into an attack path without ever getting direct access to the target machine,” Cyata researcher Yarden Porat said in a report shared with The Hacker News.

Mcp-server-git is a Python package that exposes an MCP server offering built-in tools for reading, searching, and modifying Git repositories programmatically through large language models (LLMs).

The flaws, which were fixed in releases 2025.9.25 and 2025.12.18 after a coordinated disclosure in June 2025, are as follows –

• CVE-2025-68143 (CVSS score: 8.8 [v3] / 6.5 [v4]) – A path traversal issue caused by git_init accepting arbitrary filesystem paths when initializing repositories, without enforcing validation (Fixed in version 2025.9.25)
• CVE-2025-68144 (CVSS score: 8.1 [v3] / 6.4 [v4]) – An argument injection weakness in which git_diff and git_checkout pass user-controlled arguments straight into git CLI commands without sanitization (Fixed in version 2025.12.18)
• CVE-2025-68145 (CVSS score: 7.1 [v3] / 6.3 [v4]) – A path traversal vulnerability due to missing path validation when using the –repository flag to restrict operations to a given repository path (Fixed in version 2025.12.18)

If an attacker successfully exploits these bugs, they can convert any directory on the host into a Git repository, overwrite arbitrary files with an empty diff, and reach any repository accessible to the MCP server.

In the attack path outlined by Cyata, all three vulnerabilities are chained together with the Filesystem MCP server, allowing the adversary to write to a “.git/config” file (normally under the hidden .git directory) and obtain remote code execution by driving a git_init invocation via a prompt injection.

• Invoke git_init to create a repository in a directory where the process has write access
• Leverage the Filesystem MCP server to place a malicious .git/config that defines a clean filter
• Create a .gitattributes file to attach the filter to chosen files
• Drop a shell script containing the payload
• Add a file that will trigger the clean filter
• Call git_add, which runs the clean filter and executes the payload

Following these findings, the git_init tool has been removed from the package, and additional validation has been added to block path traversal patterns. Environments using the Python package should upgrade to the latest release as part of their standard hardening and patch playbooks.

“This is the reference Git MCP server implementation, the one other servers are likely to mirror,” Shahar Tal, CEO and co-founder of Agentic AI security company Cyata, said. “When security boundaries fail in the reference implementation, it indicates the broader MCP ecosystem warrants deeper review. These are default behaviors, not rare deployment edge cases.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.