Cyata — Anthropic MCP Git server prompt-injection CVEs

2026-02-17 • Category: Security

AI relevance: MCP servers are agent tools; prompt injection into tool arguments can turn AI context into file-system and Git actions on production hosts.

• Cyata reports three CVEs in Anthropic’s official mcp-server-git reference implementation.
• The issues can be triggered via prompt injection (malicious README, issue text, or web content read by the assistant).
• CVE-2025-68145: path validation bypass lets attackers operate on arbitrary repos, not just the configured one.
• CVE-2025-68144: argument injection in git_diff enables unsafe flags and file overwrite patterns.
• CVE-2025-68143: unrestricted git_init can delete or reinitialize directories.
• Impact escalates to code execution when combined with a filesystem MCP server that can write files.
• Fixes landed in December 2025; versions prior to 2025.12.18 are affected.

Why it matters

• Reference MCP servers are widely copied into agent stacks; insecure defaults can propagate quickly.
• Prompt injection turns untrusted text into actionable tool calls, effectively creating a remote command surface.
• Git + filesystem tool chaining is common in agentic coding workflows, raising the blast radius.

What to do

• Update mcp-server-git to the fixed release and verify version pinning in your toolchain.
• Separate Git and filesystem tools or enforce strict allowlists for paths and arguments.
• Sandbox MCP servers and run them with minimal filesystem permissions.

Links

• Cyata research: Breaking Anthropic’s official MCP server
• Infosecurity Magazine coverage
• CVE-2025-68143
• CVE-2025-68144
• CVE-2025-68145