CVE-2025-68143
mcp-server-git's unrestricted git_init tool allows repository creation at arbitrary filesystem locations
Description
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue.
INFO
Published Date :
Dec. 17, 2025, 11:16 p.m.
Last Modified :
April 14, 2026, 3:30 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2025-68143
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 4.0 | MEDIUM | [email protected] |
Solution
- Upgrade to version 2025.9.25 or newer.
- Ensure servers operate only on existing repositories.
Public PoC/Exploit Available at Github
CVE-2025-68143 has a 23 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-68143.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-68143 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-68143
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Rust Go Python HTML TypeScript
Security gateway for MCP traffic. 5 built-in rules block prompt injection, credential leakage, path traversal, cross-repo exfiltration, and destructive commands. One pip install, zero config.
mcp security python proxy claude ai-agents prompt-injection self-hosted model-context-protocol llm-security ai-security cursor security-tools path-traversal credential-leakage
Python
A transparent inspection proxy for LLM API traffic and MCP tool call flows
None
Python TypeScript Shell JavaScript CSS
None
Python TypeScript Shell JavaScript CSS
None
Python Dockerfile
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
ai-agent-security ai-agents ai-security awesome-list cybersecurity llm-security mcp-security prompt-injection supply-chain-security adversarial-attacks agent-security agentic-ai ai-attacks ai-safety cve incident-response owasp red-team security-research vulnerability
Security research and exploit development: vulnerability analysis, exploit chain implementation, post-exploitation tradecraft, and defensive assessment tooling. Covers browser engines, persistence mechanisms, credential harvesting, C2 patterns, and AI-accelerated attack automation.
ai-security browser-security credential-harvesting cve exploit-development post-exploitation proof-of-concept red-team reverse-engineering security-research streamlit vulnerability-analysis worm
Shell HTML JavaScript Batchfile PowerShell Python Makefile Rust C YARA
None
Runtime security proxy for MCP servers — the open-source firewall between AI agents and tools
Dockerfile Go
Skill Panel — Panel todo-en-uno para Claude Code. Explora, audita y gestiona skills y servidores MCP desde el navegador. Scanner de seguridad con 37 checks basados en CVEs reales (malware, exfiltración, prompt injection). Instala MCPs con un click — pega tu token y listo. Detecta automáticamente todo lo instalado. Mac y Windows.
JavaScript HTML
Open-source catalog of 200+ attack vectors targeting AI agents, MCP servers, and LLM-powered applications. Machine-readable (JSON/YAML) with OWASP mappings.
agent-security ai-security llm-security mcp-security owasp prompt-injection security-research threat-catalog
Python Makefile
Dynamic security scanner for MCP (Model Context Protocol) servers — actively probes live servers with exploit payloads. By Cyberneticsplus Services Private Limited.
Python Shell
Security scanner for MCP server configurations
Python
None
JavaScript HTML TypeScript CSS Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-68143 vulnerability anywhere in the article.
-
CybersecurityNews
Multiple 0-day Vulnerabilities in Anthropic Git MCP Server Enables Code Execution
Three zero-day vulnerabilities in mcp-server-git, the reference implementation of Git integration for the Model Context Protocol (MCP). The flaws stem from insufficient input validation and argument s ... Read more
-
The Hacker News
Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution
A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete ar ... Read more
-
The Register
Anthropic quietly fixed flaws in its Git MCP server that allowed for remote code execution
Anthropic has fixed three bugs in its official Git MCP server that researchers say can be chained with other MCP tools to remotely execute malicious code or overwrite files via prompt injection. The G ... Read more
The following table lists the changes that have been made to the
CVE-2025-68143 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Apr. 14, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:lfprojects:model_context_protocol_servers:*:*:*:*:*:*:*:* versions up to (excluding) 2025.9.25 Added Reference Type GitHub, Inc.: https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v Types: Vendor Advisory -
New CVE Received by [email protected]
Dec. 17, 2025
Action Type Old Value New Value Added Description Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2025.9.25, the git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process, making those directories eligible for subsequent git operations. The tool was removed entirely, as the server is intended to operate on existing repositories only. Users are advised to upgrade to 2025.9.25 or newer to remediate this issue. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-22 Added Reference https://github.com/modelcontextprotocol/servers/commit/eac56e7bcde48fb64d5a973924d05d69a7d876e6 Added Reference https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3v