Three Chained Prompt Injection Vulnerabilities in Anthropic MCP Git Server (2025)

Incident Summary

Cyata Security discovered three chainable vulnerabilities in Anthropic’s official MCP Git Server that together enabled remote code execution on developer machines running AI-powered code editors including Claude Desktop, Cursor, and Windsurf.^[2] CVE-2025-68143 (CVSS 8.8) allowed unrestricted git_init calls to arbitrary filesystem paths without validation. CVE-2025-68144 (CVSS 8.1) permitted argument injection in git_diff and git_checkout functions where user-controlled arguments were passed directly to GitPython without sanitization, enabling file overwrites via injected flags. CVE-2025-68145 (CVSS 7.1) bypassed the --repository flag’s path validation for subsequent repo_path arguments, allowing access to any repository on the system.^[1][2] When chained with the Filesystem MCP server, these flaws enabled a four-step attack achieving code execution through Git smudge and clean filters — features that execute shell commands from repository configuration.^[2] The attack could be triggered via indirect prompt injection in a malicious README file without requiring direct repository access.^[1] Anthropic patched all three vulnerabilities in version 2025.12.18 and removed the git_init tool entirely.^[2]

Key Facts

• CVE-2025-68143 (CVSS 8.8): Unrestricted git_init accepting arbitrary filesystem paths without validation^[1]
• CVE-2025-68144 (CVSS 8.1): Argument injection in git_diff and git_checkout via unsanitized user-controlled arguments passed to GitPython, enabling arbitrary file overwrite^[2]
• CVE-2025-68145 (CVSS 7.1): Path traversal bypass in the --repository flag that failed to validate subsequent repo_path arguments^[2]
• Chaining mechanism: Four-step process — (1) create Git repository in a writable directory, (2) write malicious bash scripts via Filesystem MCP, (3) configure Git smudge/clean filters in .git/config and .gitattributes, (4) trigger filter execution during Git operations^[2]
• Attack trigger: Indirect prompt injection via malicious content in README files or GitHub issues, causing the AI assistant to follow unintended commands^[1]
• Affected tools: Claude Desktop, Cursor, and Windsurf IDE when configured with the MCP Git Server^[1]
• Discovery: Cyata Security reported vulnerabilities in June 2025; Anthropic patched in version 2025.12.18 (December 2025); public disclosure January 2026^[2]
• Exploitation status: No evidence of active exploitation in the wild at time of disclosure^[2]

Threat Patterns Involved

Primary: Prompt Injection Attack — The attack chain is initiated through indirect prompt injection: malicious instructions embedded in repository README files or GitHub issues cause the AI assistant to execute the vulnerability chain without the developer explicitly requesting it. This demonstrates that MCP servers introduce a new class of prompt injection risk where the AI agent’s tool calls become the exploitation mechanism.

Secondary: Tool Misuse & Privilege Escalation — The three vulnerabilities together enable escalation from read-only Git operations to arbitrary code execution by chaining path traversal, argument injection, and Git filter mechanisms with the Filesystem MCP server. The attack exploits the MCP protocol’s design of granting AI agents access to multiple server capabilities simultaneously.

Significance

1. MCP protocol as an attack surface — This is among the first documented vulnerability chains in Anthropic’s Model Context Protocol infrastructure, demonstrating that MCP servers designed to extend AI assistant capabilities simultaneously extend the attack surface available to adversaries
2. Cross-server chaining — The exploitation requires combining vulnerabilities across two MCP servers (Git and Filesystem), highlighting that security analysis of MCP deployments must consider the combined capabilities of all connected servers rather than evaluating each in isolation
3. Indirect prompt injection at the tool layer — The ability to trigger exploitation through a malicious README file, without any direct interaction from the developer, demonstrates that AI tool integrations create passive attack vectors in repositories that developers may never explicitly open or review
4. Remediation approach — Anthropic’s decision to remove the git_init tool entirely rather than attempt to sanitize inputs reflects the difficulty of securing AI tool interfaces where natural language commands must be translated into system operations