Anthropic's official Git tool exposes three major vulnerabilities, with prompt injection potentially leading to remote code execution

2026-01-21 00:23:23

Anthropic-maintained official mcp-server-git tool has been found to contain three serious security vulnerabilities. These vulnerabilities can be remotely exploited through prompt injection methods, allowing attackers to trigger them without direct access to the victim’s system, simply by malicious README files or compromised web pages. Even more dangerous, if these vulnerabilities are combined with the file system MCP server, attackers could achieve arbitrary code execution. Anthropic assigned CVE identifiers and released patches on December 17, 2025. Users are advised to update immediately.

Technical Details of the Three Vulnerabilities

Vulnerability ID	Vulnerability Type	Risk Level	Core Issue
CVE-2025-68143	Unrestricted git_init	High	Allows initialization of Git repositories in arbitrary system directories
CVE-2025-68145	Path validation bypass	High	Missing path validation for repo_path parameter
CVE-2025-68144	git_diff parameter injection	High	Improper parameter handling leading to injection vulnerability

Attack Principles

According to analysis by security research firm Cyata, the core problem of these vulnerabilities lies in mcp-server-git’s insufficient validation of input parameters. Specifically:

Path validation flaw: The repo_path parameter lacks effective path validation, enabling attackers to create Git repositories in arbitrary system directories, bypassing security boundaries
Configuration file abuse: Attackers can configure clean filters in the .git/config file, allowing execution of arbitrary shell commands without execution permissions
Parameter injection risk: Improper handling of parameters like git_diff opens the door for injection attacks

New Threat of Prompt Injection

What makes these vulnerabilities particularly insidious is the covert nature of the attack methods. Attackers do not need to directly compromise the system but can trigger the vulnerabilities through:

Embedding special instructions within malicious README files
Attacking through compromised web content
Exploiting large language models’ handling of user inputs

When users or AI systems process these contents, malicious instructions are executed, leading to the chain of vulnerabilities being triggered.

Risks of Combined Exploitation

While each individual vulnerability has limited impact, combining these with the file system MCP server could allow attackers to:

Execute arbitrary code
Delete system files
Read arbitrary file contents into the large language model context

This could give attackers full control over the system or enable data theft. For enterprises and individuals developing or deploying with Anthropic tools, this poses a serious security threat.

Fixes and Recommendations

Anthropic assigned CVE identifiers and submitted patches on December 17, 2025. The official recommendations are:

Immediately update mcp-server-git to version 2025.12.18 or later
Check for suspicious .git/config configurations in the system
Audit recent Git repositories and file operation logs
For critical systems, conduct thorough testing before updating

Summary

This vulnerability incident highlights the security challenges in the rapid development of AI tools. As an industry-leading AI company, Anthropic’s official tools containing such vulnerabilities remind us that even projects maintained by professional teams require ongoing security audits. Prompt injection as a new attack vector is becoming a common threat in the AI ecosystem and warrants industry-wide attention. For developers, timely updates, regular audits, and security awareness are essential.

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.