Security alert: three critical faults in mcp-server-git could allow reading, erasing and execution of code via prompt injection

Security researchers have uncovered three critical failures in mcp-server-git, the official implementation of the Git server for the Model Context Protocol (MCP) maintained within the Anthropic ecosystem. According to the report of the firm Cyata, these vulnerabilities allow from reading and deleting arbitrary files to, in certain combinations, running code in the affected system - and most disturbing: they can be activated by prompt injection I mean, manipulating what an IA assistant gets to "read." You can see the full explanation of the researchers in their technical statement at the blog of Cyata.

mcp-server-git is a Python library that offers integrated tools for language models to interact with Git repositories: read, search and run code operations programmatically. It is designed as a reference within the MCP server set and therefore often serves as a model to follow by developers who implement agents that handle repositories. The server collection itself is available in the MCP repository.

The three vulnerabilities have received CVE identifiers and already have corrections published in the project branches. The first failure, recorded as CVE-2025-68143, allowed a cross of routes (path traversal) during the creation of repositories because the git _ init tool accepted system routes without proper validation; the correction came in version 2025.9.25. The second, CVE-2025-68144, consists of the injection of arguments when functions such as git _ diff and git _ checkout passed user-controlled parameters directly to Git's CLI; this was solved in 2025.12.18. The third, CVE-2025-68145, is another variant of traversal path linked to the handling of the flag --repository and was also resolved in the same series of patches.

The scope of these failures is not merely theoretical. Researchers show how, if an attacker can influence the text that an IA processes - for example with a malicious README, the description of an issue or a compromised page - can channel vulnerabilities with the MCP file server to manipulate the content of a repository. In its scenario, the adversary converts a single folder into a Git repository, writes a .git / config configuration with a malicious "clean" filter, creates a .gitattributes that applies that filter to certain files, introduces a script with the payload and a file that activates the filter, and finally runs git _ add: in doing so, the "clean" filter runs and with it the code of the attacker. The technique is based on legitimate Git characteristics, such as filters defined in .gitattributes, which complicates your detection if there are no additional safety measures.

The repository of the file system component used in the demonstration is also public and is part of the MCP server set: Filesystem MCP server. This integration of capabilities to operate on the file system and the ease of orchestrating actions through prompts is precisely what makes vulnerability particularly delicate: the attack vector can be remote and does not require prior access to the vulnerable host.

In response to the tests, the maintainers have taken concrete actions: among other measures, the git _ init tool has been removed and validations have been strengthened to prevent basic traversal primitive. The recommendation for any library user is to update the versions containing the corrections as soon as possible. and review deployments where MCP-based agents have writing permissions or ability to run system commands.

Beyond the patch, Cyata's observations are a wake-up call for the entire ecosystem. As Shahar Tal, the company's co-founder and CEO, pointed out, that the reference implementation presents such failures suggests that both reference libraries and common integration patterns between LLMs and system resources should be subject to more thorough scrutiny. The risk is not only that a reference contains a failure, but that a multitude of derivative implementations can drag it without responsibility or appropriate patches.

For developers and security officials, the practical lesson is clear: the interfaces that expose operations on the file system or that invoke native tools need strict input validation, minimum privilege policies and running isolation. In environments where language models process external content or interact with system resources, additional barriers - for example, containers with limited permits, prior analysis of potentially dangerous prompts and automated code reviews - should be added to mitigate the risk of a legitimate command chain becoming operational.

If you want to deepen the official corrections and notices, you can check the security pages published in the repository: CVE-2025-68143, CVE-2025-68144 and CVE-2025-68145. For technical research and examples of exploitation, Cyata's analysis is available on her blog on cyata.ai, and the MCP reference implementation can be reviewed at GitHub. Maintaining up-to-date units and auditing integration between IA agents and system resources is, today more than ever, an essential practice.