Key Takeaways
- Three security vulnerabilities have been identified in the official Git server for Anthropic’s Model Context Protocol (MCP), mcp-server-git, which can be exploited through prompt injection.
- The flaws can be used to manipulate AI assistants into performing unintended actions without needing direct access to a target system.
- The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations.
- Attackers can execute code, delete arbitrary files, and load arbitrary files into a large language model’s context, potentially exposing sensitive files to the AI.
- The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145, and Anthropic has released fixes.
Introduction to the Vulnerabilities
The official Git server for Anthropic’s Model Context Protocol (MCP), mcp-server-git, has been found to have three security vulnerabilities that can be exploited through prompt injection. These flaws can be used to manipulate AI assistants into performing unintended actions without needing direct access to a target system. According to cybersecurity firm Cyata, who discovered the flaws, an attacker only needs to influence what an AI assistant reads, such as a malicious README file, a poisoned issue description, or a compromised webpage, to trigger the vulnerabilities. No credentials or system access are required.
Technical Details of the Vulnerabilities
The issues affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. The flaws allow attackers to execute code when mcp-server-git is used alongside a filesystem MCP server, delete arbitrary files, and load arbitrary files into a large language model’s context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145. Cyata’s research showed that mcp-server-git does not properly validate repository paths or sanitize arguments passed to Git commands, allowing an attacker to direct the server to operate on any directory on the system, not just the repository defined in its configuration.
The Risks Associated with MCP
MCP is an open standard introduced by Anthropic in November 2024 to allow AI assistants to interact with tools such as filesystems, APIs, databases, and developer utilities like Git. MCP servers act as a bridge, executing real system actions based on decisions made by large language models. The design of MCP raises risks because it allows AI assistants to interact with sensitive systems and data. Previous MCP-related issues typically relied on unusual configurations or unsafe deployments. In this case, Cyata found that the vulnerabilities worked "out of the box," increasing the likelihood of real-world impact. The fact that the vulnerabilities can be exploited without credentials or system access makes them particularly concerning.
Mitigation and Fixes
Anthropic accepted the reports in September and released fixes in December 2025. Cyata advised affected users to update immediately and review how MCP servers are combined in their environments, particularly when Git and filesystem access are both enabled. Users should prioritize updating their mcp-server-git installations to prevent potential attacks. Additionally, users should review their MCP server configurations to ensure that they are not inadvertently exposing sensitive data or systems to the AI. By taking these steps, users can help mitigate the risks associated with the vulnerabilities and prevent potential attacks.
Conclusion
The discovery of the three security vulnerabilities in mcp-server-git highlights the importance of prioritizing security when working with AI systems. The fact that the vulnerabilities can be exploited through prompt injection and do not require credentials or system access makes them particularly concerning. The risks associated with MCP are significant, and users must take steps to mitigate them. By updating their mcp-server-git installations and reviewing their MCP server configurations, users can help prevent potential attacks and protect sensitive data and systems. As the use of AI systems continues to grow, it is essential to prioritize security and ensure that these systems are designed and implemented with security in mind.