Home
News
Details

Anthropic's Official Git MCP Server Found with Multiple Security Vulnerabilities

iconKuCoinFlash
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
A security breach was discovered in Anthropic's official mcp-server-git, which contains three vulnerabilities that can be exploited through prompt injection attacks. Attackers could use malicious README files or compromised web pages to trigger flaws such as CVE-2025-68143, CVE-2025-68145, and CVE-2025-68144. These vulnerabilities could lead to arbitrary code execution or file deletion. On-chain news reports indicate that the repo_path parameter lacks path validation, allowing the creation of Git repositories in any system directory. Anthropic released a patch on December 17, 2025. Users should upgrade to version 2025.12.18 or higher.

Odaily Planet News: Three security vulnerabilities have been discovered in the official mcp-server-git maintained by Anthropic. These vulnerabilities can be exploited through prompt injection attack methods. Attackers can trigger the vulnerabilities by using malicious README files or compromised web pages, without requiring direct access to the victim's system.

These vulnerabilities include: CVE-2025-68143 (unrestricted git_init), CVE-2025-68145 (path validation bypass), and CVE-2025-68144 (parameter injection in git_diff). When combined with a file system MCP server, an attacker could execute arbitrary code, delete system files, or read the contents of arbitrary files into the context of a large language model.

Cyata points out that due to the lack of path validation for the repo_path parameter in mcp-server-git, attackers can create Git repositories in arbitrary directories on the system. Additionally, by configuring a clean filter in .git/config, attackers can execute shell commands without requiring execution permissions. Anthropic has assigned a CVE identifier and submitted a fix patch on December 17, 2025. Users are advised to update mcp-server-git to version 2025.12.18 or higher. (cyata)

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.