Three security vulnerabilities in the official Git server for Anthropic’s Model Context Protocol (MCP), mcp-server-git, have been identified by cybersecurity researchers.
The flaws can be exploited through prompt injection, allowing attackers to manipulate AI assistants into performing unintended actions without needing direct access to a target system.
The issues affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations.
According to cybersecurity firm Cyata, who discovered the flaws, an attacker only needs to influence what an AI assistant reads, such as a malicious README file, a poisoned issue description or a compromised webpage, to trigger the vulnerabilities. No credentials or system access are required.
The flaws allow attackers to execute code when mcp-server-git is used alongside a filesystem MCP server, delete arbitrary files and load arbitrary files into a large language model’s context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks.
The findings are notable because they affect Anthropic’s reference MCP implementation.
Previous MCP-related issues typically relied on unusual configurations or unsafe deployments. In this case, Cyata found that the vulnerabilities worked “out of the box,” increasing the likelihood of real-world impact.
Read more on Anthropic vulnerabilities: Claude Desktop Extensions Vulnerable to Web-Based Prompt Injection
Why the MCP Design Raises Risk
MCP is an open standard introduced by Anthropic in November 2024 to allow AI assistants to interact with tools such as filesystems, APIs, databases and developer utilities like Git. MCP servers act as a bridge, executing real system actions based on decisions made by large language models.
Cyata’s research showed that mcp-server-git does not properly validate repository paths or sanitise arguments passed to Git commands.
As a result, an attacker can direct the server to operate on any directory on the system, not just the repository defined in its configuration. In one case, unsanitized arguments to the git_diff command allow attackers to overwrite files. In others, misuse of git_init enables file deletion or prepares the ground for code execution when combined with file-writing capabilities.
The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144 and CVE-2025-68145. Anthropic accepted the reports in September and released fixes in December 2025.
Cyata advised affected users to update immediately and review how MCP servers are combined in their environments, particularly when Git and filesystem access are both enabled.
