Overview
- Researchers disclosed three CVEs in mcp-server-git — CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145 — affecting git_init, git_diff/git_checkout argument handling, and --repository path validation.
- Anthropic removed the git_init tool and added stricter path and argument validation, with fixes landing in versions 2025.9.25 and 2025.12.18.
- Cyata showed that an indirect prompt injection can chain the Git and Filesystem MCP servers and abuse Git smudge/clean filters to overwrite files or execute code.
- Default deployments prior to 2025.12.18 could turn arbitrary directories into repositories, access unintended repos, or overwrite files, so users should upgrade immediately.
- There is no public evidence of exploitation in the wild, and The Register reported Anthropic did not respond to inquiries as researchers urged holistic security reviews of chained MCP tools.