It seems that in the pursuit of efficiency, basic digital hygiene has simply been forgotten.
Three vulnerabilities have been discovered in the official Git Model Context Protocol (MCP) server developed by Anthropic. These vulnerabilities allow access to arbitrary files, their deletion, and code execution. The issues affect a component called mcp-server-git, a Python server designed to work with Git repositories using language models.
According to Cyata experts, the vulnerabilities can be exploited through malicious suggestion injection. This refers to situations where an attacker influences the content an AI-powered assistant interacts with—for example, when opening a README file, a task description, or a compromised webpage. This approach allows exploitation of vulnerabilities without direct access to the victim's system.
The identified issues were fixed in updates released in September and December 2025 after developers were notified in the summer of that year. The first vulnerability, identified as CVE-2025-68143 , resulted from a missing path check in the git_init tool. It accepted arbitrary path values when creating a repository, allowing an attacker to access any directory. This issue received a CVSS 3.0 score of 8.8.
The second vulnerability, CVE-2025-68144 , affected the git_diff and git_checkout functions, which passed input parameters directly to Git commands without sanitizing them. This allowed for command injection, with a score of 8.1 on the same scale.
The third issue, CVE-2025-68145 , again involved incorrect path handling: when using the --repository flag, there was no check to restrict operations to a specific directory. This vulnerability was rated in 7.1.
A successful attack could spoof any file, convert any directory into a Git repository, and gain access to other repositories on the server. According to experts, the vulnerabilities can be combined to execute arbitrary code. Specifically, it's possible to modify a repository's configuration file, create a malicious filter, and activate it via a git_add call, ultimately executing an embedded script.
After analyzing the threats, the developers removed the git_init tool from the package and strengthened checks to prevent path traversal. Users are strongly advised to update the library to the latest version.
The Cyata team emphasizes that this server is a reference implementation of the MCP protocol, serving as a benchmark for other developers. Vulnerabilities that work without special conditions indicate the need for a more thorough review of the entire MCP ecosystem.
Three vulnerabilities have been discovered in the official Git Model Context Protocol (MCP) server developed by Anthropic. These vulnerabilities allow access to arbitrary files, their deletion, and code execution. The issues affect a component called mcp-server-git, a Python server designed to work with Git repositories using language models.
According to Cyata experts, the vulnerabilities can be exploited through malicious suggestion injection. This refers to situations where an attacker influences the content an AI-powered assistant interacts with—for example, when opening a README file, a task description, or a compromised webpage. This approach allows exploitation of vulnerabilities without direct access to the victim's system.
The identified issues were fixed in updates released in September and December 2025 after developers were notified in the summer of that year. The first vulnerability, identified as CVE-2025-68143 , resulted from a missing path check in the git_init tool. It accepted arbitrary path values when creating a repository, allowing an attacker to access any directory. This issue received a CVSS 3.0 score of 8.8.
The second vulnerability, CVE-2025-68144 , affected the git_diff and git_checkout functions, which passed input parameters directly to Git commands without sanitizing them. This allowed for command injection, with a score of 8.1 on the same scale.
The third issue, CVE-2025-68145 , again involved incorrect path handling: when using the --repository flag, there was no check to restrict operations to a specific directory. This vulnerability was rated in 7.1.
A successful attack could spoof any file, convert any directory into a Git repository, and gain access to other repositories on the server. According to experts, the vulnerabilities can be combined to execute arbitrary code. Specifically, it's possible to modify a repository's configuration file, create a malicious filter, and activate it via a git_add call, ultimately executing an embedded script.
After analyzing the threats, the developers removed the git_init tool from the package and strengthened checks to prevent path traversal. Users are strongly advised to update the library to the latest version.
The Cyata team emphasizes that this server is a reference implementation of the MCP protocol, serving as a benchmark for other developers. Vulnerabilities that work without special conditions indicate the need for a more thorough review of the entire MCP ecosystem.
