Anthropic's official Git MCP server has multiple security vulnerabilities that can enable file read/write and potentially remote code execution

2026-01-21 00:22:52

Abstract generation in progress

Odaily Planet Daily reports that three security vulnerabilities have been discovered in the official mcp-server-git maintained by Anthropic. These vulnerabilities can be exploited through prompt injection attacks, allowing attackers to trigger the flaws without direct access to the victim’s system, simply by using malicious README files or compromised web pages.

The vulnerabilities include: CVE-2025-68143 (unrestricted git_init), CVE-2025-68145 (path validation bypass), and CVE-2025-68144 (parameter injection in git_diff). When combined with the file system MCP server, attackers can execute arbitrary code, delete system files, or read arbitrary file contents into the large language model context.

Cyata pointed out that because mcp-server-git does not validate the repo_path parameter, attackers can create Git repositories in any directory on the system. Additionally, by configuring cleanup filters in .git/config, attackers can run shell commands without requiring execution permissions. Anthropic assigned CVE identifiers and submitted patches on December 17, 2025. Users are advised to update mcp-server-git to version 2025.12.18 or later. (cyata)

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.