Anthropic fixes serious security holes in its Git Model Context Protocol server.
The flaws allow attackers to read, delete, or modify files. They could also run harmful code. Cybersecurity firm Cyata found the bugs in January 2026.
The server helps AI agents use Git safely. It affects all default configurations prior to December 18, 2025.
Git MCP Server Vulnerabilities: How the Vulnerabilities Work
Cyata discovers three chainable flaws. Attackers use prompt injection to exploit them. They need no direct access. A bad README or issue can trigger the attack.
- CVE-2025-68143: Path traversal in git_init tool – accepts any file path without check (CVSS 8.8)
- CVE-2025-68144: Argument injection in git_diff and git_checkout – passes user input straight to Git commands
- CVE-2025-68145: Bypasses path validation – reaches repos outside allowed list
When Git MCP runs with Filesystem MCP, attackers use Git filters to run shell commands. This leads to remote code execution.
Also read about: Chainlit Vulnerabilities Expose Enterprise Cloud Risks
Fixes and Recommendations
Anthropic patches the issues on December 17, 2025. It removes the git_init tool completely. Users must update now.
- Update to patched version immediately
- Treat all MCP tool inputs as unsafe
- Check agent permissions carefully
- Use security monitoring for service agents
Cyata warns the flaws are easy to exploit. The official server sets the example for developers.
Its issues raise concerns for the whole MCP ecosystem. No attacks seen in the wild yet.
The patch comes after Cyata reports bugs in June 2025. Experts say cloud providers must fix default risks. Companies should add extra controls until full security improves.
More News To Read: