Full Report
A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions. "These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README,
Analysis Summary
# Vulnerability: Prompt Injection Leading to File Access and RCE in MCP Git Server
## CVE Details
- CVE ID: CVE-2025-68143, CVE-2025-68144, CVE-2025-68145
- CVSS Score: 8.8 (v3) / 6.5 (v4) for CVE-2025-68143 (Highest reported)
- CWE: Path Traversal, Argument Injection (Implied from description)
## Affected Systems
- Products: mcp-server-git (Official Git Model Context Protocol Server)
- Versions: Prior to 2025.9.25 (for CVE-2025-68143) and prior to 2025.12.18 (for CVE-2025-68144 and CVE-2025-68145)
- Configurations: Systems utilizing the `git_init` tool or functions like `git_diff` and `git_checkout` where user-controlled input (from AI prompts) influences arguments passed to Git CLI commands.
## Vulnerability Description
A set of three vulnerabilities exists in the `mcp-server-git` Python package, primarily stemming from insufficient sanitization of user-controlled inputs derived from AI assistant prompts (prompt injection).
1. **CVE-2025-68143 (Path Traversal):** The `git_init` tool accepted arbitrary file system paths during repository creation without validation, allowing an attacker to initialize a repository anywhere on the system.
2. **CVE-2025-68144 (Argument Injection):** Functions like `git_diff` and `git_checkout` passed user-controlled arguments directly to underlying `git` CLI commands without sanitization, leading to arbitrary command execution potential.
3. **CVE-2025-68145 (Path Traversal):** Missing path validation when using the `--repository` flag limited operations only to a specific repository path.
These flaws can be chained together, especially when used with the Filesystem MCP server, to overwrite configuration files (e.g., `.git/config`) with malicious payloads designed to execute code upon subsequent Git operations (like `git_add`).
## Exploitation
- Status: PoC available (Vulnerabilities exploited in a documented attack scenario by Cyata)
- Complexity: Low (Exploitable via prompt injection, meaning external influence on the context read by the AI is sufficient)
- Attack Vector: Adjacent / Network (Requires an attacker to influence input consumed by the AI assistant reading the context)
## Impact
- Confidentiality: High (Ability to read arbitrary files is implied by path traversal)
- Integrity: High (Ability to overwrite arbitrary files and execute code)
- Availability: High (Code execution leads to potential system compromise/denial of service)
## Remediation
### Patches
- Upgrade to version **2025.9.25** to mitigate CVE-2025-68143.
- Upgrade to version **2025.12.18** to mitigate CVE-2025-68144 and CVE-2025-68145. (Users are highly recommended to update to the latest available version.)
### Workarounds
- The vendor has **removed the `git_init` tool** from the package in fixed versions. If immediate upgrading is not possible, manually restricting or disabling access to functions related to `git_init`, `git_diff`, and `git_checkout` within the LLM application context might offer temporary protection.
## Detection
- **Indicators of Compromise:** Look for unusual Git initialization operations targeting non-standard directories, or unexpected modifications to files within the `.git` configuration/filter directories of repositories managed by the MCP server.
- **Detection methods and tools:** Monitor outgoing system calls from the `mcp-server-git` process, specifically looking for arguments passed to the native `git` CLI executable that contain unsanitized user input.
## References
- Vendor Advisory (GitHub): https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v
- Vendor Advisory (GitHub): https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59
- Vendor Advisory (GitHub): https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5
- Research Summary: hxxps://cyata.ai/blog/cyata-research-breaking-anthropics-official-mcp-server/