Three vulnerabilities in Anthropic Git MCP Server could let attackers tamper with LLMs

Three vulnerabilities in Anthropic Git MCP Server could let attackers tamper with LLMs

Briefly

"Threat actors could use prompt injection attacks to take advantage of three vulnerabilities in Anthropic's official Git MCP server and cause mayhem with AI systems. This alert comes from researchers at Israel-based Cyata, which urges infosec leaders to make sure corporate developers using the official GIT MCP server update to the latest version as soon as possible. The risk is that an attacker could run unapproved code or tamper with a large language model (LLM), compromising its output."

"While the official Git MCP server can be exploited on its own, "the toxic combination is when both the Git MCP server and a Filesystem MCP server are enabled," Cyata CEO Shahar Tal said in an interview. "Then that [AI] agent is at critical risk. We urge people to use the latest versions [of both applications]." At risk are developers using mcp-server-git versions prior to 2025-12.18."

"Unlike other vulnerabilities in MCP servers that required specific configurations, these work on any configuration of Anthropic's official server, out of the box, Cyata says. Model Context Protocol (MCP) is an open standard introduced by Anthropic in 2024 to provide a unified way for AI assistants to interact with external tools and data sources including filesystems, databases, APIs, and development tools like Git. MCP servers expose capabilities to the AI, acting as a bridge between the LLM and external systems."