Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Published:

20 januari 2026 om 13:55:00

Alert date:

20 januari 2026 om 15:01:54

Source:

thehackernews.com

Supply Chain & Dependencies, Web Technologies

Three security vulnerabilities discovered in mcp-server-git, Anthropic's official Git Model Context Protocol server. The flaws allow attackers to read or delete arbitrary files and execute code through prompt injection attacks. Exploitation can occur when AI assistants read malicious content like README files, making these vulnerabilities particularly concerning for AI-powered development tools.

Technical details

Three vulnerabilities in Anthropic's mcp-server-git package: 1) Path traversal in git_init tool accepting arbitrary file paths without validation, 2) Argument injection in git_diff and git_checkout functions passing user-controlled arguments directly to git CLI commands, 3) Path traversal due to missing path validation with --repository flag. Vulnerabilities can be exploited through prompt injection and chained with Filesystem MCP server to write malicious .git/config files and achieve remote code execution by creating repos, writing malicious configs with clean filters, .gitattributes files, shell scripts, and triggering execution via git_add.

Mitigation steps:

Update mcp-server-git Python package to the latest version (2025.9.25 or 2025.12.18) for optimal protection. The git_init tool has been removed from the package and extra validation has been added to prevent path traversal primitives.

Affected products:

mcp-server-git Python package (fixed in versions 2025.9.25 and 2025.12.18)
Anthropic Model Context Protocol (MCP) Git server
Filesystem MCP server

Related CVE's:

CVE-2025-68143

CVE-2025-68144

CVE-2025-68145

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.