A set of three security vulnerabilities have been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, which can be used to read or delete arbitrary files and execute code under certain conditions.
“These flaws can be exploited via instant injection, meaning an attacker who can influence what the AI assistant reads (a malicious readme, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without direct access to the victim’s system,” Cyta researcher Yarden Porat said in a report shared with The Hacker News.
mcp-server-git is a Python package and an MCP server that provides a set of built-in tools for reading, searching, and manipulating Git repositories programmatically via large language models (LLMs).
The security issues, which have been addressed in versions 2025.9.25 and 2025.12.18 following the responsible disclosure in June 2025, are listed below –
- CVE-2025-68143 (CVSS Score: 8.8 [v3] / 6.5 [v4]) – Path traversal vulnerability resulting from the git_init tool accepting arbitrary file system paths during repository creation without verification (fixed in version 2025.9.25)
- CVE-2025-68144 (CVSS Score: 8.1 [v3] / 6.4 [v4]) – An argument injection vulnerability resulting from the git_diff and git_checkout functions passing user-controlled arguments directly to git CLI commands without sanitizing (fixed in version 2025.12.18)
- CVE-2025-68145 (CVSS Score: 7.1 [v3] / 6.3 [v4]) – Path traversal vulnerability resulting from a missing path validation when using the –repository flag to limit operations to a specific repository path (fixed in version 2025.12.18)
Successful exploitation of the above vulnerabilities could allow an attacker to change any directory on the system to a Git repository, overwrite any file with an empty diff, and access any repository on the server.
In an attack scenario documented by Cyata, the three vulnerabilities could be combined with the filesystem MCP server to write to a “.git/config” file (usually located within a hidden .git directory) and achieve remote code execution by triggering a call to git_init via an instantiated injection.
- Use git_init to create a repo in a writable directory
- Use file system MCP server to write malicious .git/config with a clean filter
- Write a .gitattributes file to apply filters to certain files
- Write a shell script with payload
- Write a file that triggers the filter
- Call git_add, which executes the clean filter by running the payload
In response to the findings, the git_init tool has been removed from the package and adds additional validation to prevent path traversal primitives. Users of Python packages are advised to update to the latest version for optimal security.
“This is the canonical Git MCP server that developers are expected to copy,” said Shahar Tal, CEO and co-founder of Cyta, an agentic AI security company. “If security boundaries are broken even in the reference implementation, it is a sign that the entire MCP ecosystem needs deeper investigation. These are not edge cases or exotic configurations, they work out of the box.”
