Anthropic’s official Git Model Context Protocol (MCP) server, mcp-server-git, has recently been found to have three security vulnerabilities. These defects would pose risks to user data and the overall integrity of the system. These vulnerabilities CVE-2025-68143, CVE-2025-68144, CVE-2025-68145 were responsibly disclosed in June of 2025. In the time since, those pain points have been patched by newer software releases.
There are critical severity vulnerabilities that allow attackers to read or delete any files on the system, and under certain conditions, remotely execute code of their choice. The underlying problems stem from bugs in the git_init tool and other server functions.
Details of Vulnerabilities
CVE-2025-68143 is a generic path traversal vulnerability linked to the use of the git_init tool. This flaw has a CVSS score of 8.8 (v3) and 6.5 (v4). It allows a remote unauthenticated attacker to craft file paths to bypass intended security measures and read sensitive files outside the web root. Anthropic has already moved to fix this exploit with patch version 2025.9.25. To safeguard against future exploitation, they deleted the git_init tool from the package.
The other major vulnerability, CVE-2025-68144, is argument injection in the git_diff and git_checkout functions. This vulnerability has a CVSS score of 8.1 (v3) and 6.4 (v4). It was fixed with release 2025.12.18 by adding additional validation checks to avoid exploitation via argument tampering.
The third vulnerability, CVE-2025-68145, is a path traversal vulnerability. It’s due to lack of full path validation when providing –repository flag. This issue has a CVSS score of 7.1 (v3), 6.3 (v4). Much like the first, the second was hardcoded and was fixed in 2025.12.18.
Implications of the Vulnerabilities
Successful exploitation of these vulnerabilities may allow an attacker to cause serious damage to any user of the mcp-server-git. An attacker can use these flaws to read sensitive information or delete vital files. They could even run arbitrary code on them without requiring direct access to the victim’s environment.
Cybersecurity researcher Yarden Porat highlighted the risks associated with these flaws. He continued to say an attacker can exploit them via prompt injection by manipulating what an AI assistant reads—such as a hostile README, a poisoned issue description, or a compromised webpage—letting them weaponize these flaws without requiring direct access to the victim’s system.
Need for Increased Vigilance
While the finding of these vulnerabilities is good news to the public, it raises broader questions about the security of the entire MCP ecosystem. Shahar Tal touched on the thematic need to critically look at security within this framework. As he cautioned, “If security barriers are falling even in the reference implementation, it’s an early warning flag that the rest of the MCP ecosystem may require a closer examination.” These are not edge cases or exotic configurations, it simply works out of the box.