A series of three security vulnerabilities have been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic. This can be exploited to read or delete arbitrary files and execute code under certain conditions.
“These flaws can be exploited through prompt injection, meaning that an attacker who can influence what the AI assistant reads (a malicious README, a tainted problem description, a compromised web page) could weaponize these vulnerabilities without having direct access to the victim’s system,” Cyata researcher Yarden Porat said in a report shared with The Hacker News.
Mcp-server-git is a Python package and MCP server that provides a set of built-in tools for programmatically reading, searching, and manipulating Git repositories through the Large-Scale Language Model (LLM).
Following responsible disclosure in June 2025, the following security issues were addressed in versions 2025.9.25 and 2025.12.18.
CVE-2025-68143 (CVSS score: 8.8) [v3] /6.5 [v4]) – Path traversal vulnerability resulting from the git_init tool accepting arbitrary file system paths without validation during repository creation (fixed in version 2025.9.25) CVE-2025-68144 (CVSS score: 8.1) [v3] /6.4 [v4]) – Argument injection vulnerability resulting from git_diff and git_checkout functions passing user-controlled arguments directly to git CLI commands without sanitization (fixed in version 2025.12.18) CVE-2025-68145 (CVSS score: 7.1) [v3] /6.3 [v4]) – Path traversal vulnerability resulting from missing path validation when using the –repository flag to restrict operations to a specific repository path (fixed in version 2025.12.18)
Successful exploitation of the above vulnerability could allow an attacker to change any directory on the system to a Git repository, overwrite any file with an empty diff, and gain access to any repository on the server.
In the attack scenario documented by Cyata, three vulnerabilities could be chained together with a filesystem MCP server to write to the “.git/config” file (usually located in a hidden .git directory), allowing remote code execution to be achieved by triggering a call to git_init via prompt injection.
Create a repository in a writable directory using git_init Create a malicious .git/config with a clean filter using a file system MCP server Apply the filter to specific files by creating a .gitattributes file Create a shell script with the payload Create a file that triggers the filter Call git_add to run the clean filter and execute the payload
In response to this finding, the git_init tool was removed from the package and additional validation was added to prevent path traversal primitives. For optimal protection, we recommend that users of Python packages update to the latest version.
“This is a legitimate Git MCP server and one that developers are expected to copy,” said Shahar Tal, CEO and co-founder of Agentic AI security company Cyata. “If the security perimeter is broken even in a reference implementation, it signals the need for deeper scrutiny of the entire MCP ecosystem. These are not corner cases or special configurations; they work out of the box.”
Source link
