The Anthropic official Git MCP server has multiple security vulnerabilities that allow for file read and write access and potential remote code execution

Three security vulnerabilities have been discovered in the official mcp-server-git maintained by Anthropic. These vulnerabilities can be exploited through prompt injection attacks, allowing attackers to trigger the vulnerabilities via malicious README files or compromised web pages without direct access to the victim's system. The vulnerabilities include: CVE-2025-68143 (unrestricted gitinit), CVE-2025-68145 (path validation bypass), and CVE-2025-68144 (parameter injection in gitdiff).

When these vulnerabilities are combined with the file system MCP server, attackers can execute arbitrary code, delete system files, or read arbitrary file contents into the large language model context. Cyata points out that since mcp-server-git does not perform path validation on the repo_path parameter, attackers can create Git repositories in any directory on the system. Additionally, by configuring a cleanup filter in .git/config, attackers can run shell commands without execution permissions. Anthropic assigned CVE identifiers and submitted a patch on December 17, 2025. Users are advised to update mcp-server-git to version 2025.12.18 or higher.