The Vulnerability That Should Concern Every MCP User

Security researchers at Cyata discovered a critical vulnerability chain in mcp-server-git, Anthropic's official MCP server for Git operations. The findings, disclosed today, reveal three distinct flaws that, when chained together, enabled attackers to read, delete, and overwrite arbitrary files on the host system.

In the worst case scenario, attackers could achieve full remote code execution without credentials or shell access.

The company that created MCP shipped an official server with RCE vulnerabilities.

Breaking Down the Vulnerability Chain

Flaw 1: Unrestricted git_init

The git_init tool allowed repository initialization at arbitrary filesystem paths. An attacker could initialize a Git repository anywhere the user had write permissions.

What this enables: Writing .git directories to sensitive locations, setting up the attack chain.

Flaw 2: Path Validation Bypass

The server's path validation could be bypassed, enabling access to repositories outside the configured allowlist.

What this enables: Escaping the intended sandbox, accessing files that should be off-limits.

Flaw 3: Argument Injection in git_diff

Unsanitized input was passed directly to the Git command-line interface, enabling argument injection.

What this enables: Injecting malicious arguments into Git commands, manipulating behavior.

The Deadly Combination

Individually, these flaws are concerning. Chained together, they're catastrophic.

When the Git MCP server operated alongside the Filesystem MCP server (a common configuration), attackers could abuse Git's smudge and clean filters to execute arbitrary shell commands. The attack could be triggered through prompt injection: malicious content in README files, issue descriptions, or commit messages that the AI assistant reads and acts upon.

Malicious README → AI reads content → Prompt injection triggers git operation →
Argument injection → Smudge filter execution → Shell command runs → RCE achieved

The Timeline Problem

Date Event
June 2025 Cyata discovers vulnerabilities, reports to Anthropic
December 17, 2025 Fixes released, git_init tool removed entirely
January 20, 2026 Public disclosure

Six months of exposure. Every organization using the default mcp-server-git installation before December 18, 2025 was vulnerable.

How many developers installed this official Anthropic server, trusted it implicitly because of its source, and used it with sensitive repositories? We don't know. But the number is almost certainly in the thousands.

What This Reveals About MCP Security

1. "Official" Doesn't Mean Secure

This wasn't a random npm package from an unknown developer. This was Anthropic's own server, built by the company that created the Model Context Protocol. They have world-class security engineers. They presumably review their own code.

And they still shipped path traversal, argument injection, and sandbox escape vulnerabilities.

If Anthropic can't ship secure MCP servers by default, what chance do the thousands of community developers have?

2. The Attack Surface is Larger Than You Think

The vulnerability required chaining multiple flaws and combining with another MCP server (Filesystem). This is exactly how real-world attacks work: - Individual weaknesses that seem minor - Combined into devastating exploit chains - Triggered through indirect vectors (prompt injection)

Security analysis that only looks for obvious single-point vulnerabilities will miss these chains.

3. Trust Models Are Broken

The current MCP ecosystem operates on implicit trust: - Developers trust servers from "reputable" sources - Organizations trust what their developers install - Nobody is systematically verifying security

This vulnerability proves that trust-based security doesn't work. Even the most reputable source, the protocol creator itself, shipped vulnerable code.

The Patterns Ocellus Detects

At Ocellus, we've been building automated security analysis specifically for MCP servers. Several of the vulnerability patterns in mcp-server-git align with what our engine detects:

Command Injection Detection

Our engine flags unsanitized input passed to system commands using pattern matching, context analysis, and data sink identification:

FINDING: git_diff passes user input to CLI without sanitization
RISK: Critical - Command/argument injection possible
RECOMMENDATION: Implement strict input validation and argument escaping

This is exactly what enabled the argument injection flaw in mcp-server-git.

Path Traversal Patterns

We detect code patterns suggesting path traversal vulnerabilities, specifically functions that accept user-controlled paths without validation:

FINDING: git_init accepts arbitrary path specification
RISK: High - Path traversal patterns detected
RECOMMENDATION: Implement path allowlisting and validation

Supply Chain Attack Patterns

Our supply chain security agent detects patterns common in MCP tool poisoning, the same category of attack seen in the Postmark incident:

FINDING: Tool executes external commands based on repository content
RISK: Medium - Potential for supply chain compromise
RECOMMENDATION: Validate and sanitize external inputs

What We're Building Next

The mcp-server-git vulnerability also highlights gaps we're actively working to address:

  • Tool combination analysis: Understanding how multiple MCP servers interact (e.g., git + filesystem = filter abuse risk)
  • Runtime behavior monitoring: Detecting exploitation attempts, not just vulnerable code patterns
  • Capability boundary enforcement: Ensuring tools operate within their declared permissions

Lessons for the MCP Ecosystem

For Developers

  1. Don't trust any MCP server implicitly, not even official ones
  2. Review permissions before installing. Does a Git tool really need unrestricted filesystem access?
  3. Keep servers updated. This vulnerability was quietly patched in December
  4. Isolate sensitive operations. Don't run Git MCP alongside Filesystem MCP with broad permissions

For Security Teams

  1. Inventory your MCP servers. Do you even know what's installed?
  2. Assess the combinations. Individual servers may be safe, but combinations may not be
  3. Monitor for updates. Security patches don't announce themselves
  4. Implement approval workflows. "Developer installs whatever they want" doesn't scale

For the Ecosystem

  1. Systematic security analysis. Manual review doesn't catch everything
  2. Transparent security metadata. What did the analysis find?
  3. Update notifications. How do organizations know when to patch?
  4. A security-first registry. Not just "install and hope"

The Case for Pre-Deployment Analysis

This vulnerability was discoverable through static analysis. The patterns (unrestricted path operations, unsanitized CLI input, dangerous capability combinations) are detectable without running the code.

The question is whether anyone looks.

In the current ecosystem, the answer is usually no. Developers install MCP servers based on functionality descriptions and GitHub stars. Security teams don't have visibility. Vulnerabilities sit undetected until a security researcher stumbles upon them.

Ocellus exists to change this equation. Our registry provides:

  • Pre-analyzed MCP servers with detailed security findings
  • Risk scoring based on permissions, code patterns, and dependencies
  • Continuous monitoring for newly discovered vulnerabilities
  • Enterprise policy enforcement to block or flag risky installations

We can't prevent all vulnerabilities. But we can ensure organizations make informed decisions rather than trusting blindly.

Key Takeaways

  1. Anthropic's official Git MCP server had critical RCE vulnerabilities that existed for six months before patching.

  2. "Official" and "reputable" don't guarantee security. The protocol creator shipped vulnerable code.

  3. Vulnerability chains are the real threat. Individual flaws combine into devastating exploits.

  4. The current trust model is broken. Implicit trust doesn't work for code with system-level access.

  5. Automated security analysis is essential. Manual review doesn't scale and misses subtle patterns.

  6. Pre-deployment analysis catches what runtime monitoring can't. By the time you detect exploitation, the damage is done.

The Path Forward

The Anthropic Git MCP vulnerability is a wake-up call. MCP adoption is accelerating, the attack surface is growing, and security infrastructure hasn't kept pace.

This is why we're building Ocellus.

Join the Waitlist for enterprise policy enforcement and continuous monitoring.

About Ocellus

Ocellus is the security registry for MCP tools. We provide automated security analysis, risk scoring, and enterprise governance for organizations adopting AI assistants.

Founded by security engineers who recognized the critical gap in MCP security, we're building the infrastructure the ecosystem needs to scale safely.

Follow us: - Twitter: @OcellusSecurity

The vulnerabilities discussed in this post were discovered and responsibly disclosed by Cyata.