Overview

Three chained vulnerabilities in Anthropic's own mcp-server-git: CVE-2025-68145 (path validation bypass), CVE-2025-68143 (unrestricted git_init that can turn .ssh into a git repo), and CVE-2025-68144 (argument injection in git_diff). Combined with the Filesystem MCP server, these achieve full remote code execution via malicious .git/config files.

Who Is Affected

Disclosed January 20, 2026 (originally reported June 2025). These vulnerabilities are in Anthropic's own official MCP server for Git operations, making this particularly notable as a first-party security failure.

Where It Exists

The vulnerabilities span three tools in mcp-server-git: the path validation logic (bypass via relative paths), git_init (no restrictions on target directory), and git_diff (argument injection). The attack chain also leverages the Filesystem MCP server for writing malicious .git/config files.

When It Was Found

Reported to Anthropic in June 2025. Publicly disclosed January 20, 2026 after the fix was released in mcp-server-git v2025.12.18. The git_init tool was removed entirely as a remediation measure.

How It Works

Step 1: Use path validation bypass (CVE-2025-68145) to access directories outside the allowed scope. Step 2: Use unrestricted git_init (CVE-2025-68143) to initialize a git repo in ~/.ssh or another sensitive directory. Step 3: Use the Filesystem MCP server to write a malicious .git/config with a shell command hook. Step 4: Use git_diff argument injection (CVE-2025-68144) to trigger the malicious config, achieving arbitrary code execution.

Impact

Full remote code execution via a multi-step chain targeting Anthropic's own MCP infrastructure. Attackers can compromise SSH keys, inject backdoors into any git repository, and gain persistent access to the developer's system. The fact that this was in Anthropic's first-party server undermines trust in the official MCP ecosystem.

References

• The Register: Anthropic Git MCP Flaws
• CyberPress: Anthropic Git MCP RCE