- Three security flaws were disclosed in mcp-server-git, the official Git MCP server maintained by Anthropic.
- Vulnerabilities allow path traversal, argument injection, file overwrite, and could lead to remote code execution when combined with other MCP servers.
- The issues were fixed in releases 2025.9.25 and 2025.12.18; users are advised to update and remove exposed tools.
On Jan. 20, 2026, three vulnerabilities were disclosed in the Python package mcp-server-git, the official Git Model Context Protocol ([MCP]) server maintained by Anthropic. The flaws could let an attacker read or delete arbitrary files and, under certain conditions, execute code on the host system.
Cyata researcher Yarden Porat warned about exploitability through prompt injection. According to the report, “These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without any direct access to the victim’s system.”
The package provides built-in tools that let large language models read, search, and manipulate Git repositories programmatically. The maintainers addressed the issues in versions 2025.9.25 and 2025.12.18 after responsible disclosure in June 2025.
The three tracked vulnerabilities are:
– CVE-2025-68143 — path traversal via the git_init tool (CVSS v3: 8.8; fixed in 2025.9.25).
– CVE-2025-68144 — argument injection in git_diff and git_checkout (CVSS v3: 8.1; fixed in 2025.12.18).
– CVE-2025-68145 — path traversal via the –repository flag (CVSS v3: 7.1; fixed in 2025.12.18).
Cyata demonstrated a chained attack using the Filesystem MCP server to write a malicious .git/config and trigger execution. The documented steps include creating a repo with git_init, writing .git/config and .gitattributes, placing a payload script, and invoking git_add to run the filter.
Maintainers removed the git_init tool and added path validation to prevent traversal primitives. Users of the package are recommended to update to the patched releases. “This is the canonical Git MCP server, the one developers are expected to copy,” said Shahar Tal, CEO and co-founder of Cyata. “If security boundaries break down even in the reference implementation, it’s a signal that the entire MCP ecosystem needs deeper scrutiny. These are not edge cases or exotic configurations, they work out of the box.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Zambia’s Mines Begin Paying Taxes in Chinese Yuan; RMB Gains
- NYSE Launches Tokenized Stocks/ETFs, Chainlink Not Excluded.
- DATs 2.0: From HODL to Slow Capital Funding Crypto Roots Now
- Dalio: USD Could Lose Reserve Status as Tariffs Mount in’26.
- Ethereum L2 Adoption Accelerates as Banks Tokenize Rails Now
