Three significant security vulnerabilities have been found in Anthropic's Model Context Protocol (MCP) Git server, known as mcp-server-git. Discovered by cybersecurity firm Cyata, these flaws can be exploited through prompt injection, allowing attackers to manipulate AI assistants into executing unintended commands. All versions of mcp-server-git released before December 8, 2025, are affected, particularly default installations. An attacker only needs to influence the input that an AI assistant reads, such as a harmful README file or a compromised webpage, making it easy to trigger the vulnerabilities without requiring system access or credentials. The identified flaws enable various malicious actions. For instance, attackers can execute arbitrary code when mcp-server-git operates alongside a filesystem MCP server, delete files, or load harmful content into a language model's context. While the vulnerabilities do not directly exfiltrate data, they can expose sensitive information to the AI, posing security and privacy risks. This situation is more alarming than previous MCP issues, which often relied on unusual configurations. Cyata's findings indicate that these vulnerabilities can be exploited "out of the box." The design of MCP contributes to the risk, as it allows AI assistants to interact with tools like filesystems and APIs. The mcp-server-git does not validate repository paths or sanitize input properly. This oversight means attackers can direct the server to act on any directory, not just those specified in its configuration. For example, unsanitized arguments in commands like git_diff can lead to file overwrites, while improper use of git_init can result in file deletions or pave the way for code execution. The vulnerabilities have been assigned CVEs 2025-68143, 2025-68144, and 2025-68145. Anthropic accepted these reports in September and released fixes in December 2025. Users are urged to update their systems and review their MCP server configurations, especially where Git and filesystem access are involved.