Anthropic MCP Git Server Vulnerabilities Enable RCE via Prompt Injection
These articles are AI-generated summaries. Please check the original sources for full details.
Anthropic MCP Git Server Flaws Enable File Access and Code Execution
Anthropic’s MCP Git server, a Python package for interacting with Git repositories via LLMs, contains three vulnerabilities (CVE-2025-68143, CVE-2025-68144, CVE-2025-68145) that allow attackers to read, delete, and potentially execute code. The most severe, CVE-2025-68143, has a CVSS score of 8.8, illustrating a high-impact risk.
Why This Matters
Current LLM-based tools often rely on direct interaction with file systems and external processes to achieve functionality, creating a significant attack surface. Ideal models assume sanitized inputs, but in practice, prompt injection attacks can bypass these controls, as demonstrated by the ability to chain these vulnerabilities for RCE. The potential scale of impact is substantial, as this is the “canonical” Git MCP server, meaning widespread adoption increases risk.
Key Insights
- CVE-2025-68143 (2025-09-25): Path traversal vulnerability in
git_initdue to lack of input validation. - Prompt Injection: Attackers can weaponize vulnerabilities without direct system access by influencing LLM inputs.
- MCP Ecosystem Scrutiny: These vulnerabilities highlight the need for deeper security analysis of the broader MCP ecosystem.
Working Example
# This example demonstrates the vulnerability chain, but should not be used maliciously.
# It's a simplified illustration of the attack described in the Cyata report.
# 1. Create a repo (vulnerable git_init is assumed)
# 2. Write a malicious .git/config file via Filesystem MCP server
# 3. Write a .gitattributes file to apply a "clean" filter
# 4. Write a shell script with a payload
# 5. Write a file that triggers the filter
# 6. Call git_add, executing the payloadPractical Applications
- Developer Workflow: Companies using Anthropic’s MCP Git server in CI/CD pipelines are vulnerable to code injection.
- Pitfall: Trusting user-controlled input directly within Git commands without sanitization can lead to arbitrary code execution.
References:
Continue reading
Next article
Tracking and Controlling Data Flows at Scale in GenAI: Meta’s Privacy-Aware Infrastructure
Related Content
FreePBX Vulnerabilities Allow RCE via SQL Injection, File Upload, and Auth Bypass
FreePBX patched 2025 flaws allowing SQL injection, file upload attacks, and an auth bypass, potentially leading to remote code execution.
.NET SOAPwn Flaw Opens Door for File Writes and Remote Code Execution via Rogue WSDL
New research reveals a .NET flaw, SOAPwn, enables file writes and remote code execution (RCE) through manipulated WSDL files in products like Barracuda and Ivanti.
Over 30 Security Flaws in AI IDEs Enable Data Exfiltration and RCE Attacks
Over 30 security flaws in AI IDEs enable data exfiltration and remote code execution, exposing critical vulnerabilities in modern coding tools.