Full Report
Prompt injection for the win Anthropic has fixed three bugs in its official Git MCP server that researchers say can be chained with other MCP tools to remotely execute malicious code or overwrite files via prompt injection.…
Analysis Summary
# Vulnerability: Chained Prompt Injection leading to RCE in Anthropic Git MCP Server
## CVE Details
- CVE ID: The article references three specific CVEs: CVE-2025-68145, CVE-2025-68143, and CVE-2025-68144.
- CVSS Score: Not explicitly provided in the text. Severity is implied as High due to RCE potential.
- CWE: Related to Improper Input Validation/Path Traversal/Argument Injection.
## Affected Systems
- Products: Anthropic Git MCP server (`mcp-server-git`). This server connects AI tools (Copilot, Claude, Cursor) to Git repositories.
- Versions: Default deployments prior to **2025.12.18**.
- Configurations: Exploitation requires chaining with other MCP tools, specifically the **Filesystem MCP server**.
## Vulnerability Description
Three distinct vulnerabilities in the Git MCP server allowed researchers to chain its functionality with the Filesystem MCP server, leading to Remote Code Execution (RCE) via indirect prompt injection:
1. **CVE-2025-68145 (Path Validation Bypass):** The `--repository` flag validation failed for subsequent tool calls, allowing an attacker to bypass configured path restrictions and access any repository on the system.
2. **CVE-2025-68143 (Unrestricted `git_init`):** The `git_init` tool accepted arbitrary filesystem paths without validation, enabling an attacker to initialize a Git repository in any directory.
3. **CVE-2025-68144 (Argument Injection in `git_diff`):** User-controlled arguments were passed unsanitized to the GitPython library in `git_diff` and `git_checkout` functions. This allowed an attacker to overwrite any file with an empty diff or delete files by injecting arguments like `--output=/path/to/file`.
The final RCE occurs by chaining these flaws with the Filesystem MCP server to write malicious bash scripts and configure Git repository files (`.git/config`, `.gitattributes`) to trigger these scripts via Git's `clean` and `smudge` filters during subsequent Git operations.
## Exploitation
- Status: PoC available (demonstrated by Cyata). No indication of exploitation in the wild.
- Complexity: Medium to High (requires chaining three separate flaws and leveraging another MCP server).
- Attack Vector: Network (via indirect prompt injection delivered through attacker-controlled content read by an IDE/AI system).
## Impact
- Confidentiality: High (Potential access to system files and repository data).
- Integrity: Critical (Ability to overwrite and delete arbitrary files, leading to RCE).
- Availability: Critical (Potential for system compromise and denial of service).
## Remediation
### Patches
- **Update the Git MCP server to version 2025.12.18 or later.** (The fixes were implemented in December 2025).
### Workarounds
- The `git_init` tool was removed from the server as part of the fix for CVE-2025-68143. If possible, ensure that an explicit configuration or policy restricts the use of the Git MCP server so that its toolset cannot be chained with the Filesystem MCP server until updated.
## Detection
- **Indicators of Compromise (IOCs):** Look for unusual Git configuration changes (specifically entries utilizing `clean` or `smudge` filters pointing to arbitrary scripts) or unexpected file modifications/deletions coinciding with Git operations initiated by the MCP server.
- **Detection Methods and Tools:** Security teams must assess the effective permissions and tool chaining capabilities of the *entire* agentic system, rather than individual MCP servers in isolation. Monitor all network traffic and internal command execution originating from the MCP server hosts.
## References
- Vendor Advisories: Private reporting by Cyata to Anthropic in June, fixed in December [Year not specified for advisory publication].
- Relevant Links:
- Information regarding CVE-2025-68145: defanged.github.com/advisories/GHSA-j22h-9j4x-23w5
- Information regarding CVE-2025-68143: defanged.github.com/advisories/GHSA-5cgr-j3jf-jw3v
- Information regarding CVE-2025-68144: defanged.github.com/advisories/GHSA-9xwc-hfwc-8w59