Three zero-day vulnerabilities in mcp-server-git, the reference implementation of Git integration for the Mannequin Context Protocol (MCP).
The issues stem from inadequate enter validation and argument sanitization in core Git operations. By immediate injection, attackers can execute code, delete recordsdata, and exfiltrate delicate knowledge with out direct system entry. Patches can be found in model 2025.12.18 and later.
In contrast to prior MCP safety findings, these vulnerabilities have an effect on default configurations out of the field, posing a right away threat to organizations deploying Anthropic’s official MCP servers.
These vulnerabilities uncovered by Cyata permit attackers to affect the AI assistant’s context by way of malicious READMEs, poisoned concern descriptions, or compromised webpages.
When the LLM processes this content material, it triggers MCP device calls with attacker-controlled arguments. Crucially, no direct system entry is required.
CVE IDIssueCVSSImpactCVE-2025-68143Unrestricted repo initialization8.6Directory traversal, knowledge exfiltrationCVE-2025-68145Path validation bypass8.2Unauthorized repo accessCVE-2025-68144Argument injection8.8File deletion or corruption
The assault chain combines a number of weaknesses: unrestricted repository paths permit entry to any Git listing on the system.
Argument injection permits arbitrary file operations, and integration with the Filesystem MCP server facilitates code execution by way of Git filters.
Assault chain (supply: Cyata)
Anthropic Git MCP Server Vulnerabilities
Repository Path Bypass (CVE-2025-68145): The git_diff and git_log features settle for repo_path instantly from consumer arguments with out validation towards the –repository flag configured throughout server initialization. This enables attackers to entry any Git repository on the filesystem, not simply the meant one.
Unrestricted Initialization (CVE-2025-68143): The git_init device lacks path validation totally, allowing attackers to create repositories in arbitrary directories similar to /dwelling/consumer/.ssh. Mixed with git_log or git_diff, this permits delicate file exfiltration into the LLM context.
Argument Injection (CVE-2025-68144): The git_diff perform passes the goal parameter on to Git CLI with out sanitization. Attackers inject flags like –output to overwrite arbitrary recordsdata. An attacker may execute git_diff with the goal possibility “–output=/dwelling/consumer/.bashrc” to delete or corrupt vital recordsdata.
Probably the most extreme discovering entails Git filter configuration. Attackers can exploit git_init to create a malicious. git/config with clear/smudge filters, shell instructions executed throughout staging operations.
The assault chain entails writing malicious configuration recordsdata by way of the Filesystem MCP server, creating .gitattributes to set off filters, and executing arbitrary payloads with out requiring execute permissions.
This demonstrates how MCP’s interconnected structure, combining Git, filesystem, and LLM capabilities, can amplify particular person vulnerabilities into a whole system compromise. Any group operating mcp-server-git variations earlier than 2025.12.18 is susceptible.
Notably in danger are AI-powered IDEs (Cursor, Windsurf, GitHub Copilot), which run a number of MCP servers concurrently, thereby increasing the assault floor.
Cyata analysis signifies that customers of Claude Desktop with Git integration ought to deal with updates as a excessive precedence to stop potential exploitation.
MitigationDescriptionUpdate softwareUpgrade mcp-server-git to model 2025.12.18 or laterAudit integrationsReview MCP server mixtures, particularly Git + FilesystemMonitor filesystemCheck for sudden .git directories outdoors repositoriesReview permissionsApply least-privilege entry to MCP serversValidate inputsAdd stronger enter validation in downstream instruments
These vulnerabilities underscore a vital actuality: agentic techniques introduce novel assault vectors that conventional safety fashions don’t handle.
As AI brokers acquire autonomous operational capabilities, organizations should rethink menace fashions round LLM-driven decision-making and power invocation.
The MCP structure itself isn’t flawed, however its safety is dependent upon rigorous enter validation at each integration level.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
