CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Timeline

  1. 20.01.2026 15:55 2 articles · 1d ago

    Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

    Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Chainlit Framework Vulnerabilities Expose AI Application Infrastructure

Two security vulnerabilities in the Chainlit framework, tracked as CVE-2026-22218 and CVE-2026-22219, highlight risks posed by traditional web flaws in AI application environments. These vulnerabilities allow authenticated users to read arbitrary files and perform server-side request forgery (SSRF), potentially exposing sensitive data and cloud resources. Chainlit, widely used for building conversational AI applications, released a patch (version 2.9.4) on 24 December 2025 to address these issues. The vulnerabilities were collectively dubbed ChainLeak by Zafran Security and were responsibly disclosed on November 23, 2025. Chainlit has been downloaded over 220,000 times in the past week and has attracted a total of 7.3 million downloads to date.

Open in new tab

CamoLeak Attack Exploits GitHub Copilot for Data Exfiltration

A new proof-of-concept (PoC) attack, dubbed 'CamoLeak,' demonstrates how GitHub Copilot can be exploited to exfiltrate sensitive user data through a series of complex steps. The attack leverages hidden comments and image tags to bypass GitHub's security features, allowing an attacker to steal small amounts of data, such as passwords or private keys, without detection. The attack involves two main phases: prompt injection to influence Copilot's output and a bypass of GitHub's Camo security feature using invisible image tags. GitHub has since disabled image rendering in Copilot chat to mitigate this risk. The technique is not suitable for large-scale data exfiltration but can selectively leak sensitive information within minutes.

Open in new tab

Command Injection Vulnerability in Figma MCP

A command injection vulnerability (CVE-2025-53967) in the Figma MCP server allows remote code execution. The flaw, stemming from unsanitized user input, was patched in version 0.6.3. The issue affects developers using AI-powered coding agents like Cursor. The vulnerability could be exploited by attackers on the same network or via DNS rebinding attacks. It was discovered by Imperva in July 2025 and was addressed in the latest release. The flaw resides in the 'src/utils/fetch-with-retry.ts' file, where the curl command is constructed using shell command strings, enabling potential remote code execution. The patch replaces 'child_process.exec()' with 'child_process.execFile()' and implements proper input validation. Users should upgrade to Figma MCP version 0.6.3 or higher, audit systems using vulnerable versions, and review logs for suspicious command execution patterns. There are over 15,000 MCP servers in the world, with many misconfigured and lacking authentication or access controls.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab