A series of security vulnerabilities have been uncovered in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic. These vulnerabilities could potentially allow malicious actors to read or delete arbitrary files and execute code under specific circumstances.
“These vulnerabilities can be exploited through prompt injection, enabling attackers to weaponize them without direct access to the victim’s system by influencing what an AI assistant reads,” stated Cyata researcher Yarden Porat in a report shared with The Hacker News.
Mcp-server-git is a Python package and an MCP server that offers a range of tools to interact with Git repositories programmatically using large language models (LLMs).
The security issues, disclosed in June 2025 and addressed in versions 2025.9.25 and 2025.12.18, are as follows:
- CVE-2025-68143 (CVSS score: 8.8 [v3] / 6.5 [v4]) – Path traversal vulnerability in git_init tool (Fixed in version 2025.9.25)
- CVE-2025-68144 (CVSS score: 8.1 [v3] / 6.4 [v4]) – Argument injection vulnerability in git_diff and git_checkout functions (Fixed in version 2025.12.18)
- CVE-2025-68145 (CVSS score: 7.1 [v3] / 6.3 [v4]) – Path traversal vulnerability in –repository flag (Fixed in version 2025.12.18)
Exploiting these vulnerabilities could allow attackers to manipulate directories, overwrite files, and access repositories on the server.
In a documented attack scenario by Cyata, these vulnerabilities could be combined with the Filesystem MCP server to achieve remote code execution by writing to a \”.git/config\” file and triggering git_init through prompt injection.
- Use git_init to create a repo in a writable directory
- Use Filesystem MCP server to write a malicious .git/config with a clean filter
- Write a .gitattributes file to apply the filter to certain files
- Create a shell script with the payload
- Write a file to trigger the filter
- Call git_add to execute the clean filter and run the payload
In response to these findings, the git_init tool has been removed from the package and additional validation measures have been implemented to prevent path traversal vulnerabilities. Users are advised to update to the latest version for enhanced security.
“The Git MCP server is the primary reference implementation for developers. Any breakdown in its security boundaries signals a need for deeper scrutiny across the MCP ecosystem,” noted Shahar Tal, CEO and co-founder of Cyata. “These vulnerabilities are not isolated incidents; they demonstrate inherent risks that need to be addressed.”
