Three security vulnerabilities in Anthropic’s mcp-server-git package could allow reading or deleting arbitrary files and, in a chained scenario, remote code execution. The flaws were fixed in versions 2025.9.25 and 2025.12.18 after responsible disclosure in June 2025, a technical analysis by Cyata said.
KEY FACTS
- Incident Three vulnerabilities in mcp-server-git that allow file access and manipulation
- Affected software Anthropic’s mcp-server-git Python package
- Tracked issues CVE-2025-68143, CVE-2025-68144, CVE-2025-68145
- Fixes Patched in versions 2025.9.25 and 2025.12.18
Mcp-server-git is a Python package and the canonical Git Model Context Protocol server that provides built-in tools for large language models to read, search and manipulate Git repositories programmatically.
The project’s security advisories list three tracked CVEs, including CVE-2025-68143, a path traversal in the git_init tool that accepted arbitrary filesystem paths without validation the official security advisory on GitHub. The other two vulnerabilities cover argument injection in git_diff and git_checkout and a second path traversal involving the –repository flag. The advisories include CVSS scores ranging from 7.1 to 8.8.
The report shows these flaws can be exploited via prompt injection, meaning an attacker who can control content read by an assistant can weaponize the tools without direct access to the host. The researcher documented a chained attack that uses the Filesystem MCP server to write a malicious .git/config and .gitattributes then trigger a clean filter to execute a payload during git add.
In response the git_init tool was removed from the package and additional path validation was added to limit traversal primitives. Users of the Python package are advised to update to the patched versions. The available material does not indicate observed widespread exploitation.
WHY IT MATTERS
The flaws increase the risk of prompt injection attacks that can lead to data exposure and code execution when LLMs are given tools with insufficient input validation. Operators should apply the updates and review MCP server configurations and repository permissions.