Multiple vulnerabilities found in Anthropic's Git MCP server

Multiple vulnerabilities found in Anthropic's Git MCP server

Briefly

"Cyata discovered three separate security vulnerabilities in the server. The first concerns an unrestricted git_init function that allows repository initialization on arbitrary file system paths (CVE-2025-68143). In addition, there is a path validation bypass that allows access to repositories outside the configured allowlist (CVE-2025-68145). Finally, Cyata found an argument injection error in the git_diff tool, whereby unsanitized input is passed to the Git command-line interface (CVE-68144)."

"These three cyber threats are particularly serious, because individually they would have been much less interesting to attackers. When exploits of these vulnerabilities are combined, attackers can read or delete arbitrary files and overwrite files on the host system. The risk increases significantly when the Git MCP server is used in conjunction with the Filesystem MCP server. In that situation, attackers can exploit Git's smudge and clean filters to execute shell commands defined in repository configuration files."

"Anthropic created the Model Context Protocol. Security was not necessarily a key focus in order to accelerate adoption. However, it now appears that Anthropic's own Git MCP server has been vulnerable to multiple vulnerabilities. This is despite the fact that it is the reference implementation of MCP for Git; the vulnerability has since been patched. All implementations that closely followed Anthropic's example and date from before December 18 are vulnerable."