In the rapidly expanding world of agentic AI tooling, the Model Context Protocol (MCP) has become a cornerstone for enabling large language models like Claude to interact with external systems—filesystems, APIs, databases, and crucially, Git repositories.

Yet a recent disclosure reveals a stark reminder of supply-chain risks in AI infrastructure: three medium-severity vulnerabilities in Anthropic’s own official reference Git MCP server (mcp-server-git) allow attackers to achieve arbitrary file access, deletion, overwrites, and—in chained scenarios—full remote code execution (RCE), all triggered purely through prompt injection.

Discovered by AI security firm Cyata Security and publicly detailed on January 20, 2026, these flaws (CVE-2025-68143, CVE-2025-68144, CVE-2025-68145) were reported to Anthropic in June 2025, accepted in September, and fully patched by December 2025 (with the git_init tool removed entirely in version 2025.12.18).

The campaign highlights a growing class of threats in 2026: vulnerabilities not in third-party plugins, but in the “canonical” reference implementations developers are encouraged to adopt or fork for production AI agents.

Key Details of the Vulnerabilities

The affected component is mcp-server-git, Anthropic’s official MCP server for Git operations, designed as a safe example for exposing repositories to LLMs. MCP servers act as bridges: the AI decides on tool calls, and the server executes them on the host system.

The three flaws, exploitable via indirect prompt injection (e.g., attacker-controlled content in a README.md, GitHub issue, or webpage that the AI reads), include:

• CVE-2025-68143 — Unrestricted git_init tool Allowed arbitrary filesystem paths for repository initialization with no validation. An attacker could force the AI to turn any directory (even sensitive ones) into a Git repo, priming it for further manipulation.
• CVE-2025-68144 — Argument injection in git_diff tool Unsanitized user input passed directly to Git CLI commands, enabling file overwrites (e.g., replacing content with empty diffs) or other command-line manipulations.
• CVE-2025-68145 — Path validation bypass The –repository flag, intended to restrict operations to an allowlisted repo path, could be bypassed, granting unintended access to other repositories or paths on the system.

Individually, these enable sensitive file reads (loading files into LLM context), deletions, or overwrites. When chained with the legitimate Filesystem MCP server (which permits controlled file read/write under configured rules), attackers achieve RCE:

1. Prompt injection tricks the AI into calling git_init to create a repo in an arbitrary directory.
2. Filesystem MCP overwrites .git/config or .gitattributes to inject malicious Git filters/hooks.
3. Subsequent Git operations (e.g., staging a file) trigger shell commands, executing arbitrary code on the host—potentially on developer laptops, CI/CD runners, or production servers.

Cyata demonstrated this chain in red-team exercises, turning innocuous AI tasks (e.g., “review this repo”) into full system compromise.

Why This Threat Matters

MCP represents the future of AI agents: seamless tool integration for code review, repo syncing, file ops, and more. But reference implementations like mcp-server-git are copied widely—developers assume they’re secure baselines.

These flaws expose developers and organizations to:

• Data leakage — Sensitive files loaded into LLM context (potentially logged or exfiltrated downstream).
• Integrity risks — Arbitrary overwrites or deletions breaking builds, configs, or source code.
• RCE in AI workflows — Especially dangerous in enterprise settings where Claude or similar agents run with broad access on employee machines or cloud environments.
• Broader ecosystem impact — Highlights prompt injection as a persistent vector in agentic systems, where AI decisions execute real actions.

For SMBs and dev teams adopting AI assistants as “helpful colleagues,” unvetted MCP setups expand the attack surface far beyond traditional code repos.

Technical Indicators (IOCs)

The vulnerabilities manifest through specific behaviors in affected deployments (pre-2025.12.18 versions of mcp-server-git):

• Use of git_init on non-validated or arbitrary paths.
• git_diff calls with unsanitized arguments leading to unexpected file modifications.
• Bypassed –repository restrictions allowing access outside configured allowlists.
• Unusual file creations/overwrites in .git directories (e.g., modified .git/config or .gitattributes).
• Prompt-triggered Git operations on sensitive or non-repo paths.
• Chained calls between Git MCP and Filesystem MCP resulting in unexpected shell execution or file I/O.

Monitor logs for anomalous MCP tool calls, especially git_init, git_diff, or filesystem writes following suspicious prompts.

Mitigation Recommendations

• Update immediately — Upgrade to mcp-server-git version 2025.12.18 or later (git_init fully removed; path validation and argument sanitization enforced).
• Review MCP combinations — Avoid pairing Git MCP with broad Filesystem access unless strictly necessary; apply least-privilege configs (e.g., narrow allowlists).
• Harden prompt inputs — Sanitize or filter external content (READMEs, issues, web pages) fed to AI agents; use trusted sources only.
• Monitor agent behavior — Log and alert on unexpected tool calls, file operations, or Git commands in AI workflows.
• Audit deployments — Check running MCP servers for outdated versions; prefer community-vetted or custom implementations over direct forks of references.
• Educate teams — Train developers on prompt injection risks in agentic tooling; treat MCP servers with the same scrutiny as any privileged system interface.

Agentic systems break in unexpected ways when multiple components interact. Each MCP server might look safe in isolation, but combine two of them, Git and Filesystem in this case, and you get a toxic combination. Yarden Porat, Cyata Security researcher, January 2026 analysis

Source and full details:

Research: Breaking Anthropic’s Official MCP Server