Cybersecurity researchers have disclosed three security flaws in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could allow attackers to read or delete arbitrary files and, under certain conditions, achieve code execution.
According to Cyata researcher Yarden Porat, the vulnerabilities can be exploited through prompt injection. This means an attacker does not need direct access to a victim’s system. Instead, they can weaponize the flaws by influencing what an AI assistant processes, such as a malicious README file, a poisoned issue description, or a compromised web page.
The mcp-server-git project is a Python-based MCP server that enables large language models (LLMs) to programmatically read, search, and manipulate Git repositories. Due to its role as a reference implementation, weaknesses in this server raise broader concerns for the MCP ecosystem.
Details of the Vulnerabilities
The three issues were responsibly disclosed in June 2025 and have since been fixed in versions 2025.9.25 and 2025.12.18. The flaws are tracked as:
- CVE-2025-68143 (CVSS 8.8 v3, 6.5 v4)
A path traversal vulnerability caused by thegit_inittool accepting arbitrary file system paths during repository creation without proper validation. This issue was fixed in version 2025.9.25. - CVE-2025-68144 (CVSS 8.1 v3, 6.4 v4)
An argument injection flaw in thegit_diffandgit_checkoutfunctions, where user-controlled input was passed directly to Git CLI commands without sanitization. This was resolved in version 2025.12.18. - CVE-2025-68145 (CVSS 7.1 v3, 6.3 v4)
Another path traversal issue resulting from missing validation when using the--repositoryflag to restrict operations to a specific repository path. This was also fixed in version 2025.12.18.
Successful exploitation could allow an attacker to convert any directory into a Git repository, overwrite files with empty diffs, and access repositories beyond the intended scope.
Chained Exploitation and Impact
Cyata demonstrated that these vulnerabilities could be chained together with the Filesystem MCP server to achieve remote code execution. In the documented scenario, an attacker could manipulate Git configuration files through prompt injection and trigger execution of a malicious payload during normal Git operations.
As part of the remediation, the git_init tool has been removed entirely from the package, and additional validation has been added to block path traversal techniques. Users are strongly advised to update to the latest version of the Python package to reduce exposure.
Shahar Tal, CEO and co-founder of Cyata, emphasized the broader implications of the findings. He noted that since this server is the canonical MCP Git implementation that developers are encouraged to replicate, security failures in it highlight the need for deeper scrutiny across the entire MCP ecosystem. According to Tal, these issues are not rare edge cases but vulnerabilities that function in default configurations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
