~/home/news/critical-prompt-injection-flaws-2026-01-21
newsWednesday, January 21, 20268 min read👁 45 views

Critical Prompt-Injection Flaws in Anthropic’s Official MCP Git Server

Three high-severity vulnerabilities (CVE-2025-68143/44/45) were discovered in Anthropic's mcp-server-git. They enable prompt-injection attacks that let adversaries drive AI assistants to execute code, delete files, or load malicious data, affecting any deployment that uses the Model Context Protocol.

AnthropicMCPPrompt InjectionCVE

Overview/Introduction

On 20 January 2026, Infosecurity Magazine reported three previously unknown security flaws in Anthropic's official Git server for the Model Context Protocol (MCP), known as mcp-server-git. The research, conducted by the cybersecurity firm Cyata, shows that the server fails to properly validate repository paths and sanitize arguments passed to underlying Git commands. This oversight creates a classic prompt-injection surface: an attacker can craft a malicious repository artifact-such as a README, issue description, or even a compromised web page-that the AI assistant reads, causing the MCP server to execute unintended system actions. The vulnerabilities affect all versions released before 8 December 2025 and are assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Because MCP is the de-facto bridge that lets large language models (LLMs) interact with external tools (filesystems, APIs, databases, and developer utilities like Git), any organization that has integrated Anthropic’s MCP-based workflow is potentially exposed. The bugs enable code execution, arbitrary file deletion, and forced loading of malicious files into an LLM’s context, creating a chain of compromise that can cascade through enterprise AI pipelines.

Technical Details

CVE Summary

  • CVE-2025-68143: Unvalidated repository path traversal in git_diff allowing an attacker to overwrite arbitrary files on the host.
  • CVE-2025-68144: Unsanitized arguments to git_init can be abused to delete directories outside the configured repository root.
  • CVE-2025-68145: Lack of input sanitisation for issue and README content enables prompt injection that triggers the above command abuses without any authentication.

Attack Vector & Exploitation Method

The attack does not require direct network access to the MCP server. Instead, it relies on the LLM’s ability to ingest textual content from a repository. An adversary who can inject a malicious string into a repository artifact-e.g., by forking a public repo and adding a crafted README.md-can cause the following chain:

  1. The AI assistant, operating under a typical "assistant-as-tool" pattern, fetches the repository via the MCP server.
  2. The assistant’s prompt includes the malicious artifact, which contains specially formatted commands that mimic legitimate MCP calls.
  3. Because mcp-server-git forwards the raw text to the underlying Git binary without sanitisation, the server interprets the injected payload as a legitimate command.
  4. Depending on the exploited CVE, the server either runs git diff with a path that points to /etc/passwd, overwriting it, or runs git init with a --bare flag that wipes a target directory, or simply loads a malicious file into the LLM’s context, giving the model access to sensitive data.

Crucially, the exploit works "out of the box" on default installations. No privileged credentials, no remote code execution via a network service, and no need to compromise the underlying host directly. The only prerequisite is the ability to influence the textual content that the LLM processes-a scenario that is realistic in many CI/CD pipelines, open-source contributions, or even internal documentation portals.

Impact Analysis

The impact is multi-layered:

  • Code Execution: By chaining the git_diff vulnerability with MCP’s file-write capability, an attacker can run arbitrary shell commands on the host running the MCP server.
  • Data Destruction: The git_init flaw enables deletion of arbitrary directories, potentially wiping critical application data, source code, or configuration files.
  • Privacy Leakage: Loading malicious files into the LLM context may expose sensitive documents to the model, which could be logged, cached, or inadvertently shared with downstream services.
  • Supply-Chain Propagation: Because many enterprises embed Anthropic’s LLMs via MCP into their internal tooling (e.g., automated code review, documentation generation, or dev-ops bots), a single compromised repository can cascade across multiple internal systems.

Given the breadth of MCP adoption-ranging from start-ups building AI-augmented IDE plugins to Fortune-500 firms automating compliance checks-the vulnerabilities are classified as high severity. While the bugs do not directly exfiltrate data, the indirect exposure of sensitive files to the model and the potential for destructive actions elevate the risk profile substantially.

Timeline of Events

  • July 2025 - Cyata researchers begin internal testing of mcp-server-git after noticing odd path handling in early prototypes.
  • September 2025 - Full disclosure package prepared and submitted to Anthropic under their coordinated vulnerability disclosure program.
  • September 2025 - Anthropic acknowledges receipt, assigns internal bug IDs, and begins triage.
  • October 2025 - Development of patches for all three CVEs begins.
  • 8 December 2025 - Anthropic releases patched versions of mcp-server-git (v2.3.1+), containing input validation and command-whitelisting improvements.
  • 20 January 2026 - Public disclosure by Infosecurity Magazine; CVE identifiers officially published.

Mitigation/Recommendations

  • Update Immediately: Upgrade all mcp-server-git installations to version 2.3.1 or later. The patches introduce strict path canonicalisation, argument escaping, and a deny-list for dangerous Git flags.
  • Restrict File-System Access: Run MCP servers inside minimal containers or sandboxed VMs with read-only mounts for the repository root and no write permissions outside a designated work directory.
  • Validate Repository Content: Integrate static analysis or content-signing steps in CI pipelines to reject pull requests that contain suspicious patterns (e.g., strings that look like MCP commands, excessive use of special characters, or embedded shell-style directives).
  • Least-Privilege LLM Integration: Configure the LLM’s tool-use policy to only allow a whitelist of MCP actions. Disable generic "read any file" or "execute arbitrary command" capabilities unless absolutely required.
  • Monitoring & Logging: Enable audit logging on the MCP server to capture invoked Git commands, their arguments, and originating request IDs. Alert on any deviation from expected repository paths.
  • Network Segmentation: Isolate the MCP server from critical internal networks. If the server must communicate with a filesystem MCP, ensure that only a narrow set of directories are exported.
  • Incident Response Prep: Treat any unexpected LLM output that references repository contents as a potential indicator of compromise. Have a rollback plan to revert repository state and rebuild affected containers.

Real-World Impact

Enterprises that have adopted Anthropic’s MCP for automated code review, documentation generation, or internal knowledge-base assistants now face a tangible risk of supply-chain sabotage. A malicious actor could fork a public open-source library, inject a crafted README that triggers the git_diff overwrite, and submit a pull request. Once the LLM processes the PR-something many CI pipelines do automatically-the MCP server would execute the injected command, potentially overwriting configuration files on the build server. In a worst-case scenario, the attacker could gain a foothold to pivot laterally, exfiltrate credentials stored in configuration files, or delete critical build artifacts, causing production downtime.

Beyond direct sabotage, the privacy implications are non-trivial. Loading a malicious file into the LLM’s context may cause the model to retain snippets of confidential data in its temporary memory, which could later be emitted in unrelated responses, violating data-protection regulations such as GDPR or CCPA.

Small teams are not immune. Many start-ups use the reference implementation as a quick way to prototype AI-assisted developer tools. Without rigorous security hardening, a single compromised repository can cascade across the entire development environment, leading to loss of trust in AI-augmented workflows.

Expert Opinion

Prompt-injection has long been recognised as a subtle yet powerful attack vector against LLM-driven systems. The Anthropic MCP bugs illustrate how traditional software-supply-chain weaknesses intersect with this emerging threat. The root cause-failure to sanitise external input before handing it off to a powerful system command-is a classic mistake, but its impact is amplified in the AI context because the LLM serves as an implicit “trusted” interpreter of that input.

From an industry perspective, this incident should serve as a wake-up call for any organisation that treats LLM tool-use as a “black-box” integration. Security teams must start treating prompts as untrusted data, applying the same rigor to prompt sanitisation that they apply to API inputs. Moreover, the design of protocols like MCP should incorporate defensive defaults: explicit command whitelists, sandboxed execution environments, and mandatory content verification before feeding data to the model.

In the longer term, we expect to see a shift toward "secure-by-design" LLM tool-use frameworks, where the bridge between the model and the operating system is mediated by a policy engine that evaluates each request against a risk model. Until such frameworks become mainstream, the safest approach remains to keep the attack surface minimal-run MCP servers with the least privilege, keep them up to date, and treat every repository artifact as a potential attack vector.

Finally, the rapid disclosure timeline-researchers to vendor to public in under six months-demonstrates that responsible disclosure can work even for cutting-edge AI infrastructure. Organizations should maintain open lines of communication with vendors and stay subscribed to vulnerability feeds for the AI-tooling stack, not just the traditional OS and application layers.