"The Git MCP server, mcp-server-git, connects AI tools such as Copilot, Claude, and Cursor to Git repositories and the GitHub platform, allowing them to read repositories and code files, and automate workflows, all using natural language interactions. Agentic AI security startup Cyata found a way to exploit the vulnerabilities - a path validation bypass flaw ( CVE-2025-68145), an unrestricted git_init issue ( CVE-2025-68143), and an argument injection in git_diff ( CVE-2025-68144) - and chain the Git MCP server with the Filesystem MCP server to achieve code execution."
""Agentic systems break in unexpected ways when multiple components interact. Each MCP server might look safe in isolation, but combine two of them, Git and Filesystem in this case, and you get a toxic combination," Cyata security researcher Yarden Porat told The Register, adding that there's no indication that attackers exploited the bugs in the wild. "As organizations adopt more complex agentic systems with multiple tools and integrations, these combinations will multiply," Porat said."
Three vulnerabilities in mcp-server-git allowed malicious chaining with the Filesystem MCP server to enable remote code execution and file overwrite via prompt injection. The flaws include a path validation bypass (CVE-2025-68145), an unrestricted git_init issue (CVE-2025-68143), and an argument injection in git_diff (CVE-2025-68144). Cyata reported the issues in June and Anthropic fixed them in December. The vulnerabilities affect default deployments of mcp-server-git prior to 2025.12.18. No evidence of exploitation in the wild was reported. The incident demonstrates risks when multiple agentic tools and integrations interact.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]