Anthropic’s Model Context Protocol: Security Vulnerabilities Uncovered
Anthropic has made significant strides in AI technology with the introduction of the Model Context Protocol (MCP). Initially, security wasn’t at the forefront of its design—possibly to encourage a faster adoption among developers. However, recent revelations have uncovered vulnerabilities within Anthropic’s own Git MCP server, raising substantial concerns about the security of the protocol.
Vulnerabilities in Focus
The Git MCP server serves as the reference implementation of Anthropic’s Model Context Protocol for Git. Unfortunately, this server has been found to contain multiple vulnerabilities, as identified by Cyata Security, a firm specializing in cybersecurity. This notion is troubling given that the purpose of the Git MCP server is to guide developers on safely exposing Git repositories to large language model (LLM)-driven agents.
Shahar Tal, co-founder and CEO of Cyata Security, referred to the Git MCP server as “canonical.” He pointed out that the existence of these vulnerabilities indicates a pressing need for enhanced security across the broader MCP ecosystem.
Highlighting the Three High-Impact Vulnerabilities
Cyata Security identified three significant vulnerabilities in the Git MCP server:
-
Unrestricted
git_initFunction (CVE-2025-68143): This vulnerability allows repository initialization at arbitrary file paths outside of expected directories. -
Path Validation Bypass (CVE-2025-68145): This issue permits access to repositories that lie outside the configured allowlist, risking unauthorized exposure.
- Argument Injection in
git_diff(CVE-2025-68144): Here, unsanitized user input is sent directly to the Git command-line interface, leading to possible command execution.
These vulnerabilities are especially concerning because, when exploited together, they increase the potential for serious attacks. An attacker could read or delete arbitrary files, or overwrite files on the host system. The risks escalate dramatically when the Git MCP server is paired with the Filesystem MCP server. In such cases, Git’s smudge and clean filters could be weaponized to run malicious shell commands defined in repository configuration files.
The Threat of Prompt Injection
The vulnerabilities reveal a critical weakness in the functioning of MCP servers. These servers are integral to the operations of agents that run on LLMs. Notably, prompt injection has emerged as a major attack vector in AI applications, landing it a spot at the top of the OWASP Top 10 list for vulnerabilities.
Prompt injection allows attackers to manipulate the behavior of LLMs by influencing the content that an AI assistant consumes. For instance, a maliciously crafted README file, a poisoned issue description, or a compromised webpage could all serve to trigger the entire exploit chain. The adaptability of attackers is a stark reminder that, if an AI agent has extensive privileges, those privileges could be exploited in unforeseen ways.
Urgent Calls to Action
Cyata Security did not remain silent about the vulnerabilities they identified; the firm reported them to Anthropic in June of the previous year. By December 17, patches were issued to address the security flaws, which notably included the removal of the git_init tool from the Git MCP server.
For organizations utilizing the MCP server for Git, the message is clear: immediate updates are essential. Additionally, it is vital to regard all arguments passed to MCP tools as untrusted input. Employing strict restrictions on which MCP servers and tools can be engaged by agents is highly advisable. Furthermore, a comprehensive evaluation of agent permissions—rather than tool-by-tool permissions—is crucial for holistic security.
The implications of these vulnerabilities extend far beyond Anthropic; they shed light on the critical need for security in AI-driven environments, a need that may be more pressing than ever as such technologies continue to proliferate.
