Anthropic's mcp-server-git, a Python-based Git Model Context Protocol server designed to enable programmatic interaction with Git repositories via large language models, was found to contain three significant security vulnerabilities disclosed in early 2026. The first, CVE-2025-68143, is a path traversal flaw in the git_init tool that allowed arbitrary filesystem paths during repository creation without validation, enabling attackers to create repositories in unintended directories. The second, CVE-2025-68144, is an argument injection vulnerability in git_diff and git_checkout functions, which passed user-controlled arguments directly to Git CLI commands without sanitization, risking command injection. The third, CVE-2025-68145, is another path traversal issue due to missing validation on the --repository flag limiting operations to specific repository paths. Exploiting these flaws, attackers can read or delete arbitrary files, overwrite files with empty diffs, and access any repository on the server. A documented attack chain involves using the Filesystem MCP server to write a malicious .git/config file with a clean filter, a .gitattributes file to apply the filter, a shell script payload, and a trigger file, culminating in remote code execution when git_add invokes the filter. These vulnerabilities are exploitable via prompt injection, meaning attackers can influence AI assistants' inputs (e.g., malicious README files or poisoned issue descriptions) to weaponize the flaws without direct system access. The git_init tool has been removed, and additional path validations have been implemented in patched versions 2025.9.25 and 2025.12.18. Given that mcp-server-git is the canonical Git MCP server expected to be copied by developers, these vulnerabilities signal a broader risk to the MCP ecosystem. Organizations leveraging AI assistants integrated with Git repositories must urgently update to the latest versions and scrutinize AI input sources for malicious content.

For European organizations, the impact of these vulnerabilities is significant, especially for those adopting AI-driven development workflows or using Anthropic's MCP server or its derivatives. Successful exploitation can lead to unauthorized access to sensitive source code repositories, deletion or tampering of critical files, and remote code execution on servers hosting the MCP service. This compromises confidentiality, integrity, and availability of development environments and potentially the broader IT infrastructure if attackers pivot from compromised systems. The prompt injection vector lowers the attack barrier, as attackers do not require direct system access but only the ability to influence AI assistant inputs, which may be common in collaborative development platforms or public-facing documentation. This threat could disrupt software supply chains, lead to intellectual property theft, and enable further lateral movement or persistence within affected networks. The medium severity rating reflects the complexity of chaining exploits but also the high impact of successful attacks. European organizations with AI-enhanced DevOps pipelines or those relying on Anthropic's MCP implementations should consider this a critical risk to their software integrity and operational security.

European organizations should immediately update to the latest patched versions of mcp-server-git (2025.12.18 or later) that remove the vulnerable git_init tool and add strict path validation. They should audit all AI assistant inputs, especially those that parse or interact with Git repositories, to detect and block malicious prompt injections such as poisoned README files or issue descriptions. Implement strict input sanitization and validation on all user-controlled data fed into AI models or MCP servers. Restrict the MCP server's filesystem permissions to limit repository creation and modification to trusted directories only. Monitor Git repository activities for unusual operations, such as unexpected repository creations or modifications to .git/config and .gitattributes files. Employ runtime application self-protection (RASP) or behavior-based anomaly detection to identify suspicious Git command executions triggered by AI interactions. Conduct regular security reviews of AI integration points and consider isolating AI-assisted development environments from critical production systems. Finally, engage with Anthropic and the MCP community to stay informed about further security updates and best practices.