AI’s Open Door: Critical RCE Flaws Found in Anthropic’s Git MCP Server

Three critical vulnerabilities have been unearthed within the official Git Model Context Protocol (MCP) server, a project spearheaded by Anthropic. These flaws permit unauthorized arbitrary file access, deletion, and remote code execution. The security lapses specifically afflicted the mcp-server-git component—a Python-based server engineered to facilitate interaction between Large Language Models and Git repositories.

According to an evaluation by Cyata, these vulnerabilities are susceptible to exploitation via malicious prompt injection. This occurs when an adversary manipulates the content consumed by an AI assistant—such as a compromised README file, a deceptive task description, or a subverted webpage—thereby weaponizing the AI’s capabilities against the host system without necessitating direct access.

The identified defects were remediated in successive updates in September and December 2025, following a disclosure to the developers earlier that summer. The inaugural vulnerability, designated CVE-2025-68143, stemmed from a lack of path validation within the git_init tool. By accepting arbitrary path values during repository initialization, the tool allowed attackers to navigate to restricted directories, earning it a CVSS 3.0 score of 8.8.

The second flaw, CVE-2025-68144, involved the git_diff and git_checkout functions, which transmitted input parameters directly to Git commands without sanitization. This oversight facilitated command injection and was assigned a severity rating of 8.1.

The final issue, CVE-2025-68145, concerned improper path handling associated with the --repository flag; a lack of directory-specific constraints allowed operations to transcend intended boundaries, resulting in a 7.1 rating.

A successful exploit permits the subversion of any file, the transformation of arbitrary directories into Git repositories, and unauthorized access to other server-side repositories. Researchers observed that these vulnerabilities could be chained to achieve arbitrary code execution. Specifically, an attacker could alter a repository’s configuration file to establish a malicious filter, which, when triggered via git_add, would execute a nested script.

Following the threat analysis, developers excised the git_init tool from the package and implemented rigorous path-traversal safeguards. Users are strongly exhorted to update their libraries to the latest iteration. The team at Cyata underscores that because this server serves as the reference implementation for the MCP protocol, these “zero-click” vulnerabilities signify an urgent need for a more profound security audit across the entire MCP ecosystem.