Anthropic has addressed three critical vulnerabilities in its Git MCP server that could enable remote code execution through prompt injection attacks, requiring users to update to version 2025.12.18 or later.
Anthropic has resolved significant security flaws in its official Git Model Context Protocol (MCP) server (mcp-server-git), which connects AI tools like Claude, Copilot, and Cursor to Git repositories and GitHub. These vulnerabilities, when chained with Anthropic's Filesystem MCP server, could allow attackers to execute arbitrary code or overwrite files through prompt injection attacks. Organizations using these integrations must immediately update to version 2025.12.18 or newer to mitigate these risks.
Vulnerabilities Patched
Three critical CVEs were addressed in the December 2025 update:
- CVE-2025-68145: Path validation bypass allowing access to unauthorized repositories by circumventing repository path restrictions.
- CVE-2025-68143: Unrestricted
git_initfunction permitting conversion of any directory into a Git repository (resolved by removing thegit_inittool). - CVE-2025-68144: Argument injection in
git_diffenabling file overwrites via malicious--outputparameters.
Attack Mechanism
Cyata Security researchers demonstrated how indirect prompt injection could exploit these flaws:
- Malicious instructions hidden in README files or GitHub issues trigger the vulnerabilities.
- Attackers chain Git and Filesystem MCP servers to abuse Git's clean/smudge filters.
- Filters execute attacker-defined shell scripts during Git operations, leading to remote code execution.
Compliance Requirements
- Immediate Action: Upgrade all deployments of
mcp-server-gitto version 2025.12.18 or later from the official Anthropic repository. - Configuration Review: Audit Git repository permissions and restrict writable directories accessible to MCP servers.
- Tool Interaction Analysis: Evaluate how MCP servers interact across your AI infrastructure, as vulnerabilities emerge when tools like Git and Filesystem servers combine.
Ongoing Risk Management
This incident underscores broader security challenges with AI agent ecosystems:
- Permission Boundaries: MCP servers expand AI capabilities but create new attack surfaces when tools interoperate.
- Prompt Injection: Remains an unresolved threat vector requiring continuous monitoring.
- Vendor Coordination: Anthropic fixed these flaws within six months of Cyata's June 2025 disclosure. Maintain proactive vulnerability reporting channels with AI vendors.
Organizations using Anthropic's MCP integrations should treat this as a critical patch event. Failure to update leaves systems exposed to attacks where compromised AI agents could execute malicious payloads via routine Git operations.
Comments
Please log in or register to join the discussion