The Reference Implementation

Anthropic introduced the Model Context Protocol (MCP) in November 2024 as an open standard to let large language models interact with external systems - filesystems, databases, APIs, development tools. The idea was straightforward: define a protocol so AI assistants can use tools safely and predictably. MCP servers act as the bridge between the model and the real world, translating AI requests into actual system operations.

The mcp-server-git package is Anthropic's official reference implementation for Git. It's the canonical example - the server developers are expected to study when building their own MCP integrations. It provides built-in tools for reading, searching, and manipulating Git repositories, and it's a Python package available via standard package managers. If you wanted to let an AI assistant interact with Git repos through MCP, this was the server Anthropic built to show you how it's done.

In January 2026, security researchers at Cyata published findings showing that this reference implementation had three vulnerabilities that, when chained together, allowed remote code execution via prompt injection. The very server that was supposed to demonstrate how to build MCP integrations securely was itself insecure.

The Vulnerabilities

Cyata researcher Yarden Porat identified three flaws, all of which received CVEs after responsible disclosure:

CVE-2025-68143 (CVSS 8.8/6.5): The git_init tool accepted arbitrary filesystem paths without validation. It would create a Git repository in any directory an attacker specified - including sensitive system directories like ~/.ssh or ~/.kube. A tool intended to initialize repos in safe locations could be directed to initialize them anywhere on the filesystem.

CVE-2025-68144 (CVSS 8.1/6.4): The git_diff and git_checkout functions passed user-controlled arguments directly to Git CLI commands without sanitization. This is classic argument injection - if you can control what arguments get passed to a shell command, you can make the command do things its authors never intended.

CVE-2025-68145 (CVSS 7.1/6.3): A path traversal vulnerability in the --repository flag meant to restrict operations to a specific repo path. The restriction didn't work properly, allowing operations to escape the intended directory boundary.

Taken individually, each vulnerability is a problem. Chained together, they're an exploit path to remote code execution.

The Attack Chain

Cyata documented a full proof-of-concept showing how the three flaws could be combined with the Filesystem MCP server to achieve RCE. The attack works like this:

1. Use git_init to create a repository in a writable directory (CVE-2025-68143 lets you pick any directory)
2. Use the Filesystem MCP server to write a malicious .git/config file containing a clean filter (a Git feature that runs commands when files are staged)
3. Write a .gitattributes file to apply the filter to target files
4. Write a shell script containing the attacker's payload
5. Write a file that triggers the filter
6. Call git_add, which executes the clean filter, running the payload

The entire chain can be triggered through prompt injection. An attacker doesn't need direct access to the victim's system. They just need to influence what the AI assistant reads. A malicious README in a repository, a poisoned issue description on GitHub, a compromised webpage - any of these could contain hidden instructions that cause the AI to walk through the exploit chain step by step.

As Cyata's Porat noted: "These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads can weaponize these vulnerabilities without any direct access to the victim's system."

The Fix

Anthropic patched the vulnerabilities in versions 2025.9.25 and 2025.12.18, following responsible disclosure in June 2025. The most notable remediation: the git_init tool was removed from the package entirely. Not restricted, not sandboxed, not validated more carefully. Removed. When the fix for a feature in your reference implementation is to delete the feature, that's a signal about how fundamental the design flaw was.

Path validation was added to prevent the traversal issues, and argument sanitization was implemented for the Git CLI integration.

Why the Reference Server Matters

The mcp-server-git package isn't just another third-party tool with bugs. It's Anthropic's own code, maintained by the company that created the MCP protocol. Developers writing their own MCP servers look at this package to understand how MCP servers should be built. Shahar Tal, CEO and co-founder at Cyata, made the point directly: "This is the canonical Git MCP server, the one developers are expected to copy. If security boundaries break down even in the reference implementation, it's a signal that the entire MCP ecosystem needs deeper scrutiny."

When an example implementation contains path traversal, argument injection, and a viable RCE chain, the implementations that copy from it are unlikely to do better. The Cisco State of AI Security 2026 report found that 86% of organizations are using MCP or similar agent-to-tool protocols. The attack surface represented by the broader MCP ecosystem is growing rapidly, and the quality bar was set by a reference server that needed three CVEs and a feature removal to become safe.

The Vibe Graveyard has covered MCP security issues before - Gemini MCP tool command injection, Cursor's MCPoison trust bypass, and others. Those involved third-party or community-built servers. This one hit Anthropic's own code. The protocol's creator built the canonical example of how to implement it securely, and it was vulnerable to prompt injection chaining into remote code execution. If the lesson of the other MCP stories was "be careful who builds your MCP servers," the lesson of this one is less comfortable: even the vendor writing the spec got it wrong.