Three Flaws in Anthropic MCP Git Server Expose File Access and Code Execution Risks

Security researchers have disclosed three critical vulnerabilities in Anthropic’s mcp-server-git, a Git server component designed for use within the Model Context Protocol ecosystem. The flaws, now patched, demonstrate how weaknesses in AI-adjacent infrastructure can be exploited to gain unauthorized file access and, in some scenarios, remote code execution.

The issues highlight growing concerns around MCP servers, which act as bridges between large language models and external tools. When these integrations are not hardened, they can unintentionally expand the attack surface in both development and production environments.

What Is mcp-server-git and Why It Matters

The mcp-server-git package is an MCP server developed by Anthropic to allow language models to interact with Git repositories. It enables tasks such as repository inspection, initialization, and file operations through structured tool calls.

Because MCP servers often run with access to local files and developer environments, any security flaw within them can have serious consequences. In many setups, these servers operate with elevated permissions, making them attractive targets for attackers.

Breakdown of the Three Vulnerabilities

Researchers identified three distinct but related flaws in the mcp-server-git implementation. Two of the most severe issues involved path traversal and argument injection, both of which stemmed from insufficient input validation.

By carefully crafting inputs, an attacker could escape intended directory boundaries, overwrite arbitrary files on the host system, or manipulate command arguments passed to underlying Git operations.

From File Access to Code Execution

On their own, the vulnerabilities allow unauthorized file read and write access. However, researchers demonstrated that these flaws could be chained together to escalate impact.

When combined with the Filesystem MCP server, an attacker could leverage prompt injection techniques to influence tool execution. This chaining makes it possible to overwrite executable files or configuration scripts, ultimately leading to arbitrary code execution on the host system.

Such an attack does not rely on traditional network exploits. Instead, it abuses trust placed in AI-driven workflows, where model outputs are directly connected to operational tooling.

Prompt Injection as an Attack Vector

The findings underscore how prompt injection is evolving beyond data leakage and misinformation. In MCP environments, malicious prompts can be used to steer tool behavior in dangerous ways.

If a language model is tricked into issuing harmful tool commands, and those commands are not strictly validated, the model effectively becomes an unwitting accomplice in the attack. This risk grows as organizations automate more development and operational tasks through AI agents.

Security Fixes and Mitigations

Anthropic addressed the vulnerabilities in security updates released in versions 2025.9.25 and 2025.12.18. The patches include stricter validation of file paths and command arguments, closing off the traversal and injection vectors.

As part of the remediation, the git_init tool was removed entirely. This tool was identified as particularly risky due to its ability to create and manipulate repositories in ways that could be abused by attackers.

Implications for the MCP Ecosystem

These vulnerabilities serve as a cautionary example for the broader MCP ecosystem. As MCP servers become more common, they will increasingly be targeted by attackers looking to exploit weak validation and implicit trust between models and tools.

Security experts warn that every MCP server should be treated like a production API, with strict input validation, least-privilege execution, and continuous security review. The convenience of AI-driven automation must be balanced against the risks it introduces.

A Broader Lesson for AI Infrastructure Security

The Anthropic mcp-server-git flaws highlight a broader trend in cybersecurity. As AI systems gain deeper integration with code repositories, file systems, and deployment pipelines, traditional security assumptions no longer hold.

Organizations adopting MCP-based tooling are being urged to update immediately, audit their AI integrations, and treat prompt injection as a serious security threat rather than a theoretical concern. The incident makes clear that AI infrastructure is now firmly within the scope of real world attack surfaces.