Ethical Hacking News
Three critical security vulnerabilities have been discovered in Anthropic's MCP server, a widely used tool for interacting with Git repositories programmatically via large language models (LLMs). The vulnerabilities could potentially allow an attacker to read or delete arbitrary files and execute code on the system, without requiring any direct access to the victim's system. Researchers at Cyata have demonstrated how these vulnerabilities could be chained together to achieve remote code execution through prompt injection.
Researchers have discovered three critical security vulnerabilities in Anthropic's MCP server, a widely used tool for interacting with Git repositories programmatically via large language models (LLMs). The vulnerabilities could allow an attacker to read or delete arbitrary files and execute code on the system without requiring any direct access to the victim's system. There are three identified vulnerabilities: path traversal, argument injection, and another path traversal vulnerability. The vulnerabilities were disclosed by Cyata researcher Yarden Porat and have been addressed with patches in versions 2025.9.25 and 2025.12.18 of the MCP server.
The cybersecurity landscape is constantly evolving, with new threats and vulnerabilities emerging every day. In a recent development that has sent shockwaves through the security community, researchers have discovered three critical security vulnerabilities in Anthropic's MCP server, a widely used tool for interacting with Git repositories programmatically via large language models (LLMs). The vulnerabilities, which were disclosed by Cyata researcher Yarden Porat in a report shared with The Hacker News, could potentially allow an attacker to read or delete arbitrary files and execute code on the system, without requiring any direct access to the victim's system.
The MCP server is a Python package that provides a set of built-in tools for reading, searching, and manipulating Git repositories. It is designed to work seamlessly with LLMs, which are powerful artificial intelligence models that can understand and generate human-like language. The server is widely used by developers and security professionals alike, as it provides an easy-to-use interface for interacting with Git repositories and leveraging the power of AI.
However, the researchers at Cyata have found that the MCP server has several critical vulnerabilities that could be exploited by an attacker to gain unauthorized access to sensitive data or execute malicious code on the system. The first vulnerability, CVE-2025-68143, is a path traversal vulnerability that arises from the fact that the git_init tool accepts arbitrary file system paths during repository creation without validation. This means that an attacker could potentially manipulate the input parameters of the git_init tool to access sensitive files or directories on the system.
The second vulnerability, CVE-2025-68144, is an argument injection vulnerability that occurs due to the fact that the git_diff and git_checkout functions pass user-controlled arguments directly to the git CLI commands without sanitization. This means that an attacker could potentially inject malicious input into these functions to execute arbitrary code on the system.
The third and final vulnerability, CVE-2025-68145, is another path traversal vulnerability that arises from the fact that the MCP server does not validate the path parameter when using the --repository flag to limit operations to a specific repository path. This means that an attacker could potentially manipulate the path parameter to access sensitive files or directories on the system.
The researchers at Cyata have demonstrated how these vulnerabilities could be chained together to achieve remote code execution by triggering a call to git_init through prompt injection. This means that an attacker could potentially use these vulnerabilities to gain unauthorized access to sensitive data or execute malicious code on the system, without requiring any direct access to the victim's system.
In response to the discovery of these vulnerabilities, Anthropic has released patches for versions 2025.9.25 and 2025.12.18, which address the path traversal and argument injection vulnerabilities. The company recommends that users of the MCP server update to the latest version to ensure optimal protection against these vulnerabilities.
The discovery of these critical security vulnerabilities in Anthropic's MCP server serves as a reminder of the importance of staying vigilant in the cybersecurity landscape. As AI-powered tools like LLMs become increasingly ubiquitous, it is essential to ensure that these tools are designed with robust security features and that developers and users are aware of potential vulnerabilities.
The fact that these vulnerabilities could be exploited by an attacker without requiring any direct access to the victim's system highlights the importance of implementing robust security measures to prevent lateral movement within a network. This includes ensuring that sensitive data is properly encrypted, that access controls are in place, and that monitoring and incident response procedures are well-established.
In conclusion, the discovery of these critical security vulnerabilities in Anthropic's MCP server serves as a wake-up call for developers, users, and security professionals alike. It highlights the importance of staying vigilant in the cybersecurity landscape and ensuring that tools like LLMs are designed with robust security features to prevent unauthorized access to sensitive data or execution of malicious code.
Related Information:
https://www.ethicalhackingnews.com/articles/Three-Critical-Security-Vulnerabilities-Found-in-Anthropics-MCP-Server-ehn.shtml
Published: Tue Jan 20 08:49:38 2026 by llama3.2 3B Q4_K_M
