Ethical Hacking News
Anthropic's MCP server has been patched, but a recent vulnerability discovery serves as a reminder of the complexity and potential risks associated with modern AI system integration.
Anthropic's Git MCP server was found to have three critical vulnerabilities by Cyata, a cybersecurity research organization.The vulnerabilities were related to flaws in connecting AI systems to external data sources and could be chained together for remote code execution.The vulnerabilities stemmed from issues with path validation, git_init, and argument injection in the GitPython library.Combinations of these vulnerabilities, along with the Filesystem MCP server, enabled indirect prompt injection leading to remote code execution.Anthropic has addressed the vulnerabilities by removing the git_init tool from its server and fixing identified issues.The discovery highlights the importance of thorough testing and review in AI system development and emphasizes the need for proactive security assessments in agentic systems.
Anthropic, a leading agentic AI security startup, recently addressed three critical vulnerabilities in its official Git MCP server. The discovery was made by Cyata, an organization that specializes in cybersecurity research, and reported to Anthropic in June 2024. Despite the initial notification, it took several months for Anthropic to fix the issues, which were then chained with the Filesystem MCP server to achieve remote code execution.
The Git MCP server is a crucial component of Anthropic's ecosystem, providing a bridge between its AI models and external data sources such as filesystems, databases, APIs, messaging platforms, and development tools like Git. This connection enables the AI systems to access the necessary data or tools for their operations. However, this very same architecture presents a vulnerability when exploited.
According to Cyata security researcher Yarden Porat, "Agentic systems break in unexpected ways when multiple components interact. Each MCP server might look safe in isolation, but combine two of them, Git and Filesystem in this case, and you get a toxic combination." This statement highlights the potential for unforeseen consequences when various system components are integrated.
The identified vulnerabilities, specifically CVE-2025-68145, CVE-2025-68143, and CVE-2025-68144, stem from flaws in the way AI systems connect to external data sources. These issues involve a path validation bypass flaw, an unrestricted git_init issue, and an argument injection in git_diff.
CVE-2025-68145 allows attackers to bypass security boundaries by exploiting the --repository flag's restriction on specific repository paths. This means that any repository on the system can be accessed without proper authorization. CVE-2025-68143 involves an arbitrary filesystem path acceptance during git_init, enabling the creation of Git repositories in any directory. Finally, CVE-2025-68144 results from passing user-controlled arguments directly to the GitPython library without sanitization, leading to potential file overwrites and deletions.
When combined with the Filesystem MCP server, these vulnerabilities enable the execution of malicious code remotely through indirect prompt injection. This process involves creating a Git repository in a writable directory using git_init, writing a bash script as payload using the Filesystem MCP server, setting up "clean" and "smudge" filters to execute the script upon specific Git operations, and finally exploiting these filters to trigger the script execution.
The potential for attackers to chain these vulnerabilities is concerning. As Porat explained, it's a four-step process: creating a repository, writing the payload script, configuring the filters, and executing the script due to prompt injection. This chain reaction highlights the complexity of modern agentic systems and the need for vigilance in their development and deployment.
Anthropic has since addressed these vulnerabilities by removing the git_init tool from its server and fixing the identified issues. However, users are advised to upgrade to the latest version of the mcp-server-git prior to 2025.12.18 to avoid potential exploitation.
The discovery of this vulnerability serves as a reminder of the importance of thorough testing and review in AI system development. Anthropic's proactive response to address these concerns underscores its commitment to security, although it would have been ideal if they had addressed these issues before their release.
Cyata's report on these vulnerabilities emphasizes the growing need for comprehensive security assessments in agentic systems, especially when multiple components are integrated. As Porat noted, "As organizations adopt more complex agentic systems with multiple tools and integrations, these combinations will multiply." This warning echoes the importance of proactive security measures to prevent unforeseen consequences.
In conclusion, Anthropic's MCP server vulnerabilities serve as a crucial reminder of the need for comprehensive security testing in AI system development. The potential for chain reactions like this underscores the complexity of modern agentic systems and highlights the importance of vigilance in their development and deployment. As organizations continue to adopt more complex agentic systems, the necessity for proactive security assessments cannot be overstated.
Related Information:
https://www.ethicalhackingnews.com/articles/Anthropics-MCP-Server-Vulnerabilities-A-Chain-Reaction-of-Security-Concerns-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/
https://nvd.nist.gov/vuln/detail/CVE-2025-68145
https://www.cvedetails.com/cve/CVE-2025-68145/
https://nvd.nist.gov/vuln/detail/CVE-2025-68143
https://www.cvedetails.com/cve/CVE-2025-68143/
https://nvd.nist.gov/vuln/detail/CVE-2025-68144
https://www.cvedetails.com/cve/CVE-2025-68144/
Published: Tue Jan 20 07:09:11 2026 by llama3.2 3B Q4_K_M
