Anthropic's official Git MCP server had some worrying security flaws - this is what happened next

News
By published

Bugs could be chained for devastating effect

Claude AI
(Image credit: Shutterstock/ gguy)
  • Anthropic patched Git MCP flaws enabling remote code execution via tool chaining
  • Cyata discovered CVEs; fixed in version 2025.12.18, no exploitation reported yet
  • Claude previously manipulated in cyber espionage campaign targeting major global organizations

Anthropic, the company behind the popular AI model Claude has fixed multiple bugs in its Git MCP server which, researchers claim, can be chained with other MCP tools to enable remote code execution (RCE) or file tampering through prompt injection.

The Git MCP server is Anthropic’s Model Context Protocol service that lets AI tools read and interact with Git repositories. It’s important because it allows the AI to understand real codebases, or answer coding questions without unsafe or unrestricted access.

The bugs were found by Agentic AI security startup Cyata, and are as follows:

Path validation bypass flaw (CVE-2025-68145)

Unrestricted git_init issue (CVE-2025-68143)

Argument injection in git_diff (CVE-2025-68144).

Fixed in December

The researchers said by chaining the Git MCP server with the Filesystem MCP server, they were able to execute arbitrary code, remotely.

"Agentic systems break in unexpected ways when multiple components interact. Each MCP server might look safe in isolation, but combine two of them, Git and Filesystem in this case, and you get a toxic combination," Cyata told The Register.

"As organizations adopt more complex agentic systems with multiple tools and integrations, these combinations will multiply."

Cyata reported the flaw last June, and Anthropic fixed it in December 2025, The Register says. Users should make sure they’re running version 2025.12.18. So far, there is no evidence that the bugs were being exploited in the wild.

Artificial Intelligence is promising major disruptions across industries. As such, businesses scramble to implement it, leaving all sorts of vulnerabilities that different cybercriminals can exploit.

In mid-November 2025, Anthropic said Claude was being used, in agentic capacity, not just as an advisor, but also in executing a cyberattack itself. The company said a highly sophisticated cyber espionage campaign manipulated Anthropic’s Claude Code tool in attempts to infiltrate roughly 30 global targets - primarily targeting large tech companies, government agencies, and financial institutions.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.