Anthropic PBC’s official Git Model Context Protocol server has several security vulnerabilities that can lead to arbitrary file access and, in some scenarios, full remote code execution triggered entirely through prompt injection.

That’s according to a new report out today from artificial intelligence security startup Cyata Security Ltd. The flaws affect mcp-server-git, the reference implementation of Anthropic’s MCP for Git that is intended to demonstrate how developers should safely expose Git repositories to large language model-powered agents.

According to Cyata, the issues affect all default deployments released before Dec. 18, 2025. They can be exploited by attackers who can influence content an AI assistant reads, such as a malicious README file, poisoned issue description, or compromised web page.

Three distinct vulnerabilities were identified in the server. The vulnerabilities include an unrestricted git_init capability that allowed repository initialization at arbitrary filesystem paths, a path validation bypass that enabled access to repositories outside the configured allowlist and an argument injection flaw in the git_diff tool that passed unsanitized input to the Git command-line interface. When chained together, the flaws allow attackers to read or delete arbitrary files and overwrite files on the host system.

The vulnerabilities are particularly interesting in that the affected code was found in Anthropic’s own reference implementation.

“This is the canonical Git MCP server, the one developers are expected to copy,” said Shahar Tal, Cyata’s co-founder and chief executive. “If security boundaries break down even in the reference implementation, it’s a signal that the entire MCP ecosystem needs deeper scrutiny. These are not edge cases or exotic configurations, they work out of the box.”

Severity ratings for the vulnerabilities vary depending on the scoring system used. GitHub’s security advisory assigns a medium severity rating under Common Vulnerability Scoring System 4.0, while GitLab’s advisory database rates the issues as high severity under CVSS 3.1. Cyata says the discrepancy reflects GitHub’s adoption of CVSS 4.0, which applies a more granular scoring methodology.

The risk presented by the vulnerabilities also varies depending on where the Git MCP server is used and increases significantly when used alongside the Filesystem MCP server.

In that situation, attackers can abuse Git’s smudge and clean filters to execute shell commands defined in repository configuration files to achieve remote code execution. That’s because the MCP servers act on decisions made by large language models and the LLMs can be manipulated through prompt injection. That in turn means the entire exploit chain can be triggered without credentials, shell access or direct interaction with the target system.

“This research shows how traditional assumptions about trust boundaries collapse once LLMs are placed in the decision loop,” said Cyata co-founder and Chief Technology Officer Baruch Weizman. “Tooling that looks safe in isolation can become dangerous when an attacker controls the model’s inputs.”

Cyata reported the vulnerabilities to Anthropic in June last year and fixes were released Dec. 17. The fix included removing the git_init tool entirely from the Git MCP server offering.

Organizations that have yet to update their mcp-server-git installs are being encouraged to do so immediately, to treat all MCP tool arguments as untrusted input, restrict which MCP servers and tools agents are allowed to invoke, and evaluate agent permissions holistically rather than tool by tool.

Image: SiliconANGLE/Ideogram