Anthropic MCP Server Flaws Lead to Code Execution, Data Exposure

New research from Cyata reveals that flaws in the servers connecting LLMs to local data via Anthropic’s MCP can be exploited to achieve remote code execution and unauthorized file access.

All three flaws were identified in the official Git MCP server (mcp-server-git) maintained by Anthropic and could be exploited via prompt injections with attacker-controlled arguments.

“MCP servers execute actions based on LLM decisions, and LLMs can be manipulated through prompt injection,” Cyata explained. “A malicious actor who can influence the AI’s context can trigger MCP tool calls with attacker-controlled arguments.”

The bugs, tracked as CVE-2025-68143, CVE-2025-68145, and CVE-2025-68144, existed because the Git MCP server failed to validate or sanitize specific arguments provided by an attacker.

“These flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without any direct access to the victim’s system,” Cyata said.

The security firm’s researchers showed how an attacker could exploit the vulnerabilities for arbitrary code execution, reading files, and deleting files, with the attack working against any configuration.

The cybersecurity firm first reported the issues to Anthropic in June and July 2025.

The vendor resolved all three vulnerabilities in December, in mcp-server-git version 2025.12.18.

This article was published by Security Week. Please check their website for the original content.