Critical Flaws in Anthropic Git MCP Server Allow Attackers to Manipulate AI
421Security researchers have uncovered three serious vulnerabilities in Anthropic’s official Git MCP server that could let hackers tamper with large language models (LLMs) and their outputs. These flaws could be exploited through prompt injection attacks, potentially causing chaos in AI systems used across many organizations. The warning comes from Cyata, an Israel-based cybersecurity firm, which urges companies to update to the latest versions of the affected software immediately.
Understanding the Vulnerabilities in Anthropic’s Git MCP Server
The three security flaws are linked to specific issues in the mcp-server-git, which is part of Anthropic’s Model Context Protocol (MCP) standard. This standard, launched in 2024, helps AI assistants like Claude Desktop and Windsurf connect with external tools and data sources, including filesystems, APIs, and development platforms like Git. The MCP server acts as a bridge, executing commands based on the AI’s decisions.
Cyata’s researchers found that the vulnerabilities allow malicious actors to run unapproved code, inject harmful commands, or even delete files. These issues are present in all configurations of the server, making them particularly dangerous for organizations relying on the default setup. The flaws are identified as CVE-2025-68143, CVE-2025-68145, and CVE-2025-68144, each describing specific ways attackers can manipulate the system.
Details of the Security Flaws and Their Impact
The first vulnerability, CVE-2025-68143, involves an unrestricted git_init process. This allows attackers to create new repositories with malicious content that the LLM might access. The second flaw, CVE-2025-68145, is a path validation bypass. This means an attacker can craft paths that the server does not properly validate, potentially leading to the execution of malicious code or reading of sensitive files.
The third issue, CVE-2025-68144, involves argument injection in the git_diff command. This flaw enables attackers to inject arbitrary git flags, which could overwrite files or manipulate the repository in harmful ways. Researchers also found that an attacker could delete files by exploiting these vulnerabilities, adding to the severity of the security risks.
What makes these flaws particularly concerning is that they work out of the box, regardless of how the server is configured. Unlike other vulnerabilities that require specific setups, these issues are present in the default installation of Anthropic’s MCP server, making widespread exploitation more likely.
Why These Flaws Matter for AI Security
The MCP standard is designed to enable AI systems to interact seamlessly with external tools and data sources. However, if the underlying server is compromised, an attacker can manipulate the AI’s context and influence its actions. By injecting malicious prompts or commands, hackers can cause the AI to run harmful code or provide false information.
This is especially dangerous given the widespread adoption of MCP servers by thousands of vendors and third-party providers. Many organizations rely on these tools for critical functions, from customer support to data analysis. The presence of these vulnerabilities means that malicious actors could potentially hijack AI workflows, leading to data breaches, system disruptions, or even manipulated outputs that could harm users.
Researchers emphasize the importance of updating to the latest versions of both the Git MCP server and the Filesystem MCP server. Doing so can prevent attackers from exploiting these known flaws and ensure the integrity of AI systems that depend on these tools.
While it’s not clear how many enterprises are using the affected version of the official Git MCP server, the risk remains significant. Cyata’s discovery highlights the need for organizations to stay vigilant and keep their software up to date to defend against evolving cyber threats targeting AI infrastructure.
What do you think?
It is nice to know your opinion. Leave a comment.