Three zero-day vulnerabilities in mcp-server-git, the reference implementation of Git integration for the Model Context Protocol (MCP).
The flaws stem from insufficient input validation and argument sanitization in core Git operations. Through prompt injection, attackers can execute code, delete files, and exfiltrate sensitive data without direct system access. Patches are available in version 2025.12.18 and later.
Unlike prior MCP security findings, these vulnerabilities affect default configurations out of the box, posing an immediate risk to organizations deploying Anthropic’s official MCP servers.
These vulnerabilities uncovered by Cyata allow attackers to influence the AI assistant’s context via malicious READMEs, poisoned issue descriptions, or compromised webpages.
When the LLM processes this content, it triggers MCP tool calls with attacker-controlled arguments. Crucially, no direct system access is required.
| CVE ID | Issue | CVSS | Impact |
|---|---|---|---|
| CVE-2025-68143 | Unrestricted repo initialization | 8.6 | Directory traversal, data exfiltration |
| CVE-2025-68145 | Path validation bypass | 8.2 | Unauthorized repo access |
| CVE-2025-68144 | Argument injection | 8.8 | File deletion or corruption |
The attack chain combines multiple weaknesses: unrestricted repository paths allow access to any Git directory on the system.
Argument injection enables arbitrary file operations, and integration with the Filesystem MCP server facilitates code execution via Git filters.
Anthropic Git MCP Server Vulnerabilities
Repository Path Bypass (CVE-2025-68145): The git_diff and git_log functions accept repo_path directly from user arguments without validation against the –repository flag configured during server initialization. This allows attackers to access any Git repository on the filesystem, not just the intended one.
Unrestricted Initialization (CVE-2025-68143): The git_init tool lacks path validation entirely, permitting attackers to create repositories in arbitrary directories such as /home/user/.ssh. Combined with git_log or git_diff, this enables sensitive file exfiltration into the LLM context.
Argument Injection (CVE-2025-68144): The git_diff function passes the target parameter directly to Git CLI without sanitization. Attackers inject flags like –output to overwrite arbitrary files. An attacker could execute git_diff with the target option “–output=/home/user/.bashrc” to delete or corrupt critical files.
The most severe finding involves Git filter configuration. Attackers can exploit git_init to create a malicious. git/config with clean/smudge filters, shell commands executed during staging operations.
The attack chain involves writing malicious configuration files via the Filesystem MCP server, creating .gitattributes to trigger filters, and executing arbitrary payloads without requiring execute permissions.
This demonstrates how MCP’s interconnected architecture, combining Git, filesystem, and LLM capabilities, can amplify individual vulnerabilities into a complete system compromise. Any organization running mcp-server-git versions before 2025.12.18 is vulnerable.
Particularly at risk are AI-powered IDEs (Cursor, Windsurf, GitHub Copilot), which run multiple MCP servers simultaneously, thereby expanding the attack surface.
Cyata research indicates that users of Claude Desktop with Git integration should treat updates as a high priority to prevent possible exploitation.
| Mitigation | Description |
|---|---|
| Update software | Upgrade mcp-server-git to version 2025.12.18 or later |
| Audit integrations | Review MCP server combinations, especially Git + Filesystem |
| Monitor filesystem | Check for unexpected .git directories outside repositories |
| Review permissions | Apply least-privilege access to MCP servers |
| Validate inputs | Add stronger input validation in downstream tools |
These vulnerabilities underscore a critical reality: agentic systems introduce novel attack vectors that traditional security models don’t address.
As AI agents gain autonomous operational capabilities, organizations must rethink threat models around LLM-driven decision-making and tool invocation.
The MCP architecture itself isn’t flawed, but its security depends on rigorous input validation at every integration point.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
