Mcp-server-git path traversal and argument injection flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Anthropic's mcp-server-git now has three disclosed vulnerabilities that can enable arbitrary file read/delete and code execution in affected deployments. The issues map to CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145, spanning path traversal and argument injection in Git tooling. Fixes were released in 2025.9.25 and 2025.12.18, and one vulnerable tool was later removed. Cyata also showed how the flaws can be chained through prompt injection to reach remote code execution.
Related Happenings
GitHub Agentic Workflows indirect prompt injection security flaw
Vulnerability
H score27
First: 07.07.2026 17:04
Last: 07.07.2026 17:04
Sources 1
About this happening:
**GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
GitHub Agentic Workflows indirect prompt injection security flaw
VulnerabilityAbout this happening: **GitHub Agentic Workflows** has an **indirect prompt injection** flaw that can let a **public issue** leak content from **private repositories** into public comments. The risk is...
Claude Code GitHub Action bot trigger bypass security flaw
Vulnerability
H score31
First: 04.06.2026 18:15
Last: 04.06.2026 18:15
Sources 1
About this happening:
**Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
Claude Code GitHub Action bot trigger bypass security flaw
VulnerabilityAbout this happening: **Anthropic's Claude Code GitHub Action** had a **trigger-check bypass** that let a malicious **GitHub issue** escalate into **repository takeover** for vulnerable public reposito...
MCP STDIO arbitrary command execution security flaw
Vulnerability
H score53
First: 16.04.2026 12:40
Last: 16.04.2026 12:40
Sources 1
About this happening:
A **critical MCP flaw** in the **STDIO interface** can trigger **arbitrary command execution**, putting **connected AI systems** at risk of **data exposure** and **system takeover...
MCP STDIO arbitrary command execution security flaw
VulnerabilityAbout this happening: A **critical MCP flaw** in the **STDIO interface** can trigger **arbitrary command execution**, putting **connected AI systems** at risk of **data exposure** and **system takeover...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
Vulnerability
H score0
First: 06.02.2026 07:49
Last: 06.02.2026 07:49
Sources 1
About this happening:
**Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw
VulnerabilityAbout this happening: **Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...
Figma MCP version 0.6.3 remediation guidance
Advisory/Mitigation
H score34
First: 08.10.2025 20:14
Last: 08.10.2025 20:14
Sources 1
About this happening:
Users of **Figma MCP** were told to **upgrade to version 0.6.3 or higher** to reduce exposure to a **command-injection** flaw that could enable **remote code execution**. The reme...
Figma MCP version 0.6.3 remediation guidance
Advisory/MitigationAbout this happening: Users of **Figma MCP** were told to **upgrade to version 0.6.3 or higher** to reduce exposure to a **command-injection** flaw that could enable **remote code execution**. The reme...
Timeline
-
20.01.2026 15:55 2 articles · 5mo ago
Anthropic mcp-server-git vulnerabilities disclosed and patched
Initial DisclosureCyata disclosed three CVE-backed vulnerabilities in Anthropic's mcp-server-git Python MCP server: CVE-2025-68143, a path traversal issue in git_init; CVE-2025-68144, an argument injection issue in git_diff and git_checkout; and CVE-2025-68145, a path traversal issue in --repository handling. The flaws were reported as exploitable through prompt injection to read or delete arbitrary files and execute code, with fixes released in versions 2025.9.25 and 2025.12.18 and git_init later removed alongside extra path validation to reduce abuse.
Show sources
- Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution — thehackernews.com — 20.01.2026 15:55
- Prompt Injection Bugs Found in Official Anthropic Git MCP Server — www.infosecurity-magazine.com — 20.01.2026 17:01