Anthropic Patches Critical Prompt Injection Flaws in Official Git MCP Server
Take action: Be aware that all MCP servers are vulnerable various prompt injections. Always add filtering and validation to all inputs to the AI Agent and to the MCP server. If you are using Anthropic mcp-server-git, update it to version 2025.12.18 ASAP and avoid running Git and filesystem MCP servers on the same host.
Learn More
Anthropic's official Git Model Context Protocol server (MCP) contained three vulnerabilities that allowed attackers to take over systems via prompt injection. The mcp-server-git, bridges Large Language Models (LLMs) like Claude with local Git repositories.
The vulnerabilities are caused by how the server handles user-supplied arguments. Researchers discovered that the server ignored configured repository boundaries, allowing the AI to operate on any directory.
Vulnerabilities summary:
- CVE-2025-68144 (CVSS score 9.8) - Argument injection in the git_diff tool allows attackers to overwrite or delete arbitrary files by injecting flags like --output.
- CVE-2025-68143 (CVSS score 9.1) - Unrestricted git_init allows attackers to initialize repositories in sensitive directories, leading to file deletion or data exposure.
- CVE-2025-68145 (CVSS score 7.5) - Path validation bypass enables the AI to access files outside the intended repository scope.
Attackers trigger these vulnerabilities by poisoning the information an AI reads. This includes malicious README files, issue descriptions, or compromised webpages. When the AI processes this content, it may automatically call MCP tools with attacker-controlled parameters. For example, an attacker can force the AI to treat a sensitive folder like .ssh into a Git repo and then "diff" the contents to read private keys into the AI's conversation window.
The most severe impact occurs when the Git MCP server runs together with a filesystem MCP server. Attackers can use git_init to create a repository in a writable folder and then use the filesystem server to plant a malicious .git/config file. By configuring "clean" or "smudge" filters, the attacker can execute shell commands whenever the AI performs standard Git actions like git_add. This chain bypasses the need for file execution permissions, as Git runs these filters directly through the shell.
Anthropic released patches in December 2025 to address these issues. Users should update mcp-server-git to version 2025.12.18 or later immediately. Organizations should also audit their MCP configurations, especially when combining Git and filesystem access, to limit the potential blast radius of prompt injection attacks.
