Anthropic created the Model Context Protocol. Security was not necessarily a key focus in order to accelerate adoption. However, it now appears that Anthropic’s own Git MCP server has been vulnerable to multiple vulnerabilities. This is despite the fact that it is the reference implementation of MCP for Git; the vulnerability has since been patched.
All implementations that closely followed Anthropic’s example and date from before December 18 are vulnerable. This concerns mcp-server-git, the reference implementation of Anthropic’s Model Context Protocol for Git. Ironically, this is supposed to show developers how to safely expose Git repositories to LLM-driven agents. Shahar Tal, co-founder and CEO of Cyata Security, which discovered the leak, refers to the “canonical” Git MCP server. He argues that the series of vulnerabilities shows that the entire MCP ecosystem requires deeper security.
Three high-impact vulnerabilities
Cyata discovered three separate security vulnerabilities in the server. The first concerns an unrestricted git_init function that allows repository initialization on arbitrary file system paths (CVE-2025-68143). In addition, there is a path validation bypass that allows access to repositories outside the configured allowlist (CVE-2025-68145). Finally, Cyata found an argument injection error in the git_diff tool, whereby unsanitized input is passed to the Git command-line interface (CVE-68144).
These three cyber threats are particularly serious, because individually they would have been much less interesting to attackers. When exploits of these vulnerabilities are combined, attackers can read or delete arbitrary files and overwrite files on the host system. The risk increases significantly when the Git MCP server is used in conjunction with the Filesystem MCP server. In that situation, attackers can exploit Git’s smudge and clean filters to execute shell commands defined in repository configuration files.
Prompt injection as an attack vector
The vulnerabilities are particularly concerning because MCP servers are fundamental to the functionality of agents running on LLMs. Prompt injection is at the top of the OWASP Top 10 for AI applications and makes it possible to manipulate LLMs. This means that the entire exploit chain can be triggered without credentials, shell access, or direct interaction with the target system.
Attackers can exploit the vulnerabilities by influencing content that an AI assistant reads. Examples include a malicious README file, a poisoned issue description, or a compromised web page. The only limit here is the attacker’s creativity: if an agent has extensive privileges, these can be exploited by poisoning data.
Solution in sight
Cyata reported the vulnerabilities to Anthropic in June last year. Patches followed on December 17. The fix included the complete removal of the git_init tool from the Git MCP server offering.
Organizations that have not yet updated their mcp server git installations are strongly advised to do so immediately. In addition, all MCP tool arguments should be treated as untrusted input. It is wise to limit which MCP servers and tools agents are allowed to call. Agent permissions should also be evaluated holistically, rather than tool-by-tool.
Read also: OpenAI: the danger of prompt injection may never disappear