Anthropic has patched three high-severity vulnerabilities in its official Git Model Context Protocol (MCP) server that researchers say could have been exploited to read and delete arbitrary files and even achieve remote code execution (RCE) via prompt injection attacks, security analysts confirmed.
The flaws were found in mcp-server-git, a Python-based implementation maintained by Anthropic that enables large language models (LLMs) to interact with Git repositories programmatically. MCP is a protocol designed to allow AI assistants, including Anthropic’s Claude and other agentic systems. This protocol performs real-world tasks like repository searches, diffs, and commits by connecting AI to external tools and data sources.
According to researchers from AI security firm Cyata, the vulnerabilities did not require direct system access. Instead they could be exploited via prompt injection, where an attacker manipulates what an AI assistant reads, such as a malicious repository README, a poisoned issue description, or a compromised web page, to trigger unintended behavior in the MCP server.
“These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without any direct access to the victim’s system,” Cyata researcher Yarden Porat said in the report.
These researches highlighted the following:
These vulnerabilities allow attackers with prompt injection to:
Execute code when combined with the filesystem MCP server
Delete arbitrary files on the system
Read arbitrary files into the LLM context (no direct exfiltration)
The three flaws, tracked as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145, stemmed from failures to properly validate or sanitize inputs to built-in Git tools. They included an unrestricted git_init function that allowed repository creation in arbitrary filesystem paths, an argument injection issue in git_diff, and a path validation bypass that could expose file paths outside intended repository scope.
In combination, these weaknesses could be chained with other MCP servers, such as the Filesystem MCP server, to manipulate .git/config files and trigger execution of attacker-controlled commands through Git filters. Successful exploitation could let threat actors overwrite or delete files, inject malicious code, and compromise systems running AI agents.
Researchers warned that the reference Git MCP server was exposed “out of the box” in default installations before the December 2025 patch, increasing the likelihood that unpatched deployments might be vulnerable in real-world settings. The Git MCP server is considered the canonical implementation that other developers copy.
Anthropic responded to the responsible disclosure in mid-2025 by releasing patched versions of mcp-server-git, including the removal of the risky git_init tool and additional validation to prevent path traversal and argument injection exploits. Organizations using the server are urged to update to at least version 2025.12.18 to mitigate the risk.
Here are some steps you can do to stay safe, as highlighted by Cyata:
Update mcp-server-git to version 2025.12.18 or later
Audit which MCP servers run together – combining Git + Filesystem increases attack surface
Monitor for unexpected .git directories in non-repository folders
While there have been no confirmed reports of active exploitation in the wild, experts say the incident underscores broader security concerns with the rapidly growing MCP ecosystem.
The Model Context Protocol, released in late 2024, has gained traction as a standard for enabling LLMs and agentic AI systems to call external tools, but prompt injection and tool composition risks remain a top concern for developers and security teams alike.