Anthropic, the organization behind the AI model Claude, has recently addressed several security vulnerabilities in its Git Model Context Protocol (MCP) server. These flaws, identified by the security firm Cyata, could have been exploited to achieve remote code execution (RCE) or unauthorized file modifications via prompt injection attacks.
Identified Vulnerabilities:
Cyata discovered three critical vulnerabilities in the mcp-server-git component:
- CVE-2025-68143: An unrestricted `gitinit` function that permitted the creation of Git repositories in arbitrary filesystem locations without proper validation.
- CVE-2025-68144: An argument injection issue in the `gitdiff` function, where unsanitized user input was passed directly to Git commands, potentially leading to file overwrites.
- CVE-2025-68145: A path validation bypass flaw that allowed unauthorized access to repositories outside the configured paths.
These vulnerabilities were reported to Anthropic in June 2025 and were patched in December 2025. Users are advised to update to version 2025.12.18 or later to mitigate these risks. (theregister.com)
Potential Exploitation Chain:
When combined with the Filesystem MCP server, these vulnerabilities could have been chained to execute arbitrary code remotely. The attack sequence involved:
- Using the `git_init` function to create a repository in a writable directory.
- Employing the Filesystem MCP server to write a malicious `.git/config` file containing shell commands.
- Triggering the execution of these commands through subsequent Git operations, leading to remote code execution.
This scenario underscores the importance of securing interactions between AI systems and external tools to prevent unintended actions. (theregister.com)
Background on Anthropic's MCP Server:
Anthropic introduced the Model Context Protocol (MCP) in November 2024 as an open standard to enable AI models to interact with various external systems, including filesystems, APIs, databases, and development tools like Git. MCP servers act as intermediaries, executing system actions based on decisions made by large language models. The mcp-server-git serves as a reference implementation, demonstrating how developers can safely expose Git repositories to AI agents. (infosecurity-magazine.com)
Implications for AI Security:
The discovery of these vulnerabilities highlights the critical need for robust security measures in AI-powered development environments. As AI agents become more integrated into development workflows, ensuring the security of their interactions with external systems is paramount to prevent potential exploits. (theregister.com)
Recommendations:
- Immediate Update: Users should upgrade to mcp-server-git version 2025.12.18 or later to address these vulnerabilities.
- Review MCP Configurations: Evaluate the combination of MCP servers in your environment, especially when Git and filesystem access are enabled together, to minimize the attack surface.
- Sanitize Inputs: Ensure that all inputs, particularly those from external sources, are properly sanitized to prevent prompt injection attacks.
By implementing these measures, organizations can enhance the security of their AI-driven development processes and mitigate potential risks associated with these vulnerabilities.