- Anthropic patched Git MCP flaws enabling remote code execution via tool chaining
- Cyata discovered CVEs; fixed in version 2025.12.18, no exploitation reported yet
- Claude previously manipulated in cyber espionage campaign targeting major global organizations
Anthropic, the company behind the popular AI model Claude has fixed multiple bugs in its Git MCP server which, researchers claim, can be chained with other MCP tools to enable remote code execution (RCE) or file tampering through prompt injection.
The Git MCP server is Anthropic’s Model Context Protocol service that lets AI tools read and interact with Git repositories. It’s important because it allows the AI to understand real codebases, or answer coding questions without unsafe or unrestricted access.
The bugs were found by Agentic AI security startup Cyata, and are as follows:
Path validation bypass flaw (CVE-2025-68145)
Unrestricted git_init issue (CVE-2025-68143)
Argument injection in git_diff (CVE-2025-68144).
Fixed in December
The researchers said by chaining the Git MCP server with the Filesystem MCP server, they were able to execute arbitrary code, remotely.
"Agentic systems break in unexpected ways when multiple components interact. Each MCP server might look safe in isolation, but combine two of them, Git and Filesystem in this case, and you get a toxic combination," Cyata told The Register.
"As organizations adopt more complex agentic systems with multiple tools and integrations, these combinations will multiply."
Cyata reported the flaw last June, and Anthropic fixed it in December 2025, The Register says. Users should make sure they’re running version 2025.12.18. So far, there is no evidence that the bugs were being exploited in the wild.
Artificial Intelligence is promising major disruptions across industries. As such, businesses scramble to implement it, leaving all sorts of vulnerabilities that different cybercriminals can exploit.
In mid-November 2025, Anthropic said Claude was being used, in agentic capacity, not just as an advisor, but also in executing a cyberattack itself. The company said a highly sophisticated cyber espionage campaign manipulated Anthropic’s Claude Code tool in attempts to infiltrate roughly 30 global targets - primarily targeting large tech companies, government agencies, and financial institutions.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
