Anthropic Git MCP Server Vulnerabilities Involving Path Traversal and Argument Injection

Security researchers recently disclosed multiple vulnerabilities affecting mcp-server-git, the official Git server implementation for the Model Context Protocol (MCP) maintained by Anthropic.

While the flaws have already been fixed, the disclosure has drawn attention because this server is considered the reference implementation that many developers rely on when integrating large language models with development tools like Git.

Beyond their technical severity, these vulnerabilities stand out because of how they can be abused: through prompt injection, an attacker can cause harmful actions simply by shaping what an AI assistant processes, without requiring direct system access.

What Is mcp-server-git and Why Is It Important?

mcp-server-git is a Python-based server that allows large language models to interact with Git repositories using the Model Context Protocol (MCP). MCP acts as a bridge between AI assistants and external tools, enabling automated actions such as reading repositories, generating diffs, or committing changes.

Because this Git server is maintained by Anthropic and commonly used as a reference implementation, many IDEs and AI-assisted development environments use it as a blueprint. As a result, weaknesses in this implementation have broader implications for the entire MCP ecosystem.

What Vulnerabilities Were Discovered?

Researchers identified three vulnerabilities:

• CVE-2025-68143 (CVSS 6.5): A path traversal issue in the git_init function, allowing repositories to be created in arbitrary filesystem locations.
• CVE-2025-68145 (CVSS 6.4): Another path traversal issue that bypasses repository path restrictions.
• CVE-2025-68144 (CVSS 6.3): An argument injection flaw where unsanitized input is passed directly to Git CLI commands.

Individually, these bugs enable unauthorized file access or deletion. When combined, they significantly increase the attack surface.

CVE-2025-68143 (SOCRadar Vulnerability Intelligence)

As vulnerabilities increasingly emerge at the intersection of AI tools and development infrastructure, maintaining visibility into newly disclosed risks is critical. SOCRadar, through its Vulnerability Intelligence capabilities, helps organizations stay ahead of issues like the mcp-server-git flaws by delivering timely, actionable vulnerability insights.

How Can Prompt Injection Lead to Exploitation?

Unlike traditional attacks that require system-level access, these vulnerabilities can be triggered through prompt injection. If an attacker can control content the AI processes – such as a README file, issue description, or webpage – they can influence the model to invoke Git tools with malicious parameters.

In practical terms, the AI becomes an unwitting intermediary, executing dangerous operations because it trusts the provided context.

What Is the Real-World Impact of These Flaws?

Successful exploitation can allow attackers to:

• Read arbitrary files into the AI’s context
• Delete or overwrite files on the host system
• Execute code when combined with filesystem access

Researchers demonstrated that chaining these issues with file-writing capabilities could lead to remote code execution using Git’s clean and smudge filter mechanisms. Importantly, these scenarios worked in default configurations, not edge cases.

The attack chain (Cyata)

Who is Affected and Which Versions Are Vulnerable?

Any environment running mcp-server-git versions prior to 2025.12.18 is affected. This includes AI-powered IDEs and tools where Git and filesystem MCP servers are enabled together.

Anthropic addressed the issues by removing the vulnerable git_init tool and adding stricter path validation. Users are strongly advised to upgrade immediately.

What Should Developers and Security Teams Do Next?

Staying informed about how AI tools interact with underlying systems is becoming just as important as securing the systems themselves. At a minimum, teams should update to the latest patched version and review which MCP servers are enabled together. Monitoring systems for unexpected .git directories outside normal repositories can also help detect misuse.

For a deeper technical breakdown of the discovery and exploit chain, Cyata has published a detailed research article.

SOCRadar’s Vulnerability Intelligence

To help organizations track critical CVEs and evolving exploitation activity in real time, SOCRadar’s Cyber Threat Intelligence module delivers timely intelligence that supports faster decision-making and more effective remediation.

Key capabilities include:

• Real-time CVE monitoring to identify newly disclosed and high-impact vulnerabilities as they emerge
• Exploitation intelligence that highlights whether vulnerabilities are being actively targeted in the wild
• Risk-based prioritization to help teams focus remediation efforts on vulnerabilities that pose the highest threat
• Contextual threat correlation that connects vulnerability data with attacker techniques and campaigns
• Attack Surface Management (ASM) integration to identify exposed assets and understand where vulnerable systems are reachable from an attacker’s perspective

By combining vulnerability intelligence with external attack surface visibility, SOCRadar helps organizations better understand exposure, reduce blind spots, and respond faster to emerging security risks.