In mcp-server-git versions prior to 2025.12.17, the git_diff and git_checkout functions passed user-controlled arguments directly to git CLI commands without sanitization. Flag-like values (e.g., `--output=/path/to/file` for `git_diff`) would be interpreted as command-line options rather than git refs, enabling arbitrary file overwrites. The fix adds validation that rejects arguments starting with - and verifies the argument resolves to a valid git ref via rev_parse before execution. Users are advised to update to 2025.12.17 resolve this issue when it is released.
https://www.securityweek.com/anthropic-mcp-server-flaws-lead-to-code-execution-data-exposure/
https://www.theregister.com/2026/01/20/anthropic_prompt_injection_flaws/
https://www.infosecurity-magazine.com/news/prompt-injection-bugs-anthropic/
https://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.html
Published: 2025-12-17
Updated: 2026-04-14
Base Score: 8.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:P
Severity: High
Base Score: 7.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Severity: High
Base Score: 6.3
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:H/SA:L
Severity: Medium
EPSS: 0.00078