Anthropic created the Model Context Protocol. They designed the specification, published the SDK, and shipped reference server implementations for Git, SQLite, and Filesystem operations. These servers appeared in getting-started guides, tutorials, and Claude Desktop documentation. Developers across the ecosystem used them as templates for their own MCP integrations.

Every one of those reference servers contained serious security vulnerabilities.

The Git server had three CVEs enabling a chain from arbitrary repository creation to file overwrite to full code execution. The Filesystem server had two CVEs allowing sandbox escape and symlink-based code execution. The SQLite server had textbook SQL injection that Anthropic declined to fix. The mcp-remote package, a core piece of MCP infrastructure with 437,000+ downloads, had a CVSS 9.6 command injection. And a later path traversal in git_add allowed exfiltration of any file on the system.

This post walks through every vulnerability, documents the attack chains, and maps each one to the detection patterns Aguara catches today.

9 CVEs in official servers
9.6 highest CVSS score
5,000+ forks of unpatched SQLite
82% MCP servers with path traversal

The Git MCP Server: Three CVEs, One Attack Chain

Anthropic's mcp-server-git is a Python package published on PyPI under the modelcontextprotocol/servers repository. It exposes Git operations as MCP tools: git_init, git_diff, git_log, git_checkout, git_add, and others. Security researcher Yarden Porat of Cyata discovered three vulnerabilities and reported them to Anthropic via HackerOne on June 24, 2025.

Anthropic took nearly three months to accept the report. The first fix shipped on September 25, 2025. The remaining two were patched on December 18, 2025. Public disclosure came on January 20, 2026.

CVE-2025-68143: Unrestricted git_init (CVSS 8.8)
CWE-22 (Path Traversal) · Affected: < 2025.9.25 · GHSA-5cgr-j3jf-jw3v

The git_init tool accepted arbitrary filesystem paths and created Git repositories without validating the target location. Unlike other tools which required an existing repository, git_init could operate on any directory accessible to the server process. No input validation on the repo_path parameter. Once a directory was initialized as a repository, all subsequent Git MCP operations became available on it.

Fix: The git_init tool was removed entirely.

CVE-2025-68144: Argument Injection in git_diff and git_checkout (CVSS 8.1)
CWE-88 (Argument Delimiter Injection) · Affected: < 2025.12.18 · GHSA-9xwc-hfwc-8w59

The git_diff and git_checkout functions passed user-controlled arguments directly to the Git CLI without sanitization. Flag-like values in the target field were interpreted as command-line options. Injecting --output=/path/to/file into the target parameter of git_diff allowed overwriting any file on the filesystem.

Fix: Validation rejects arguments starting with - and verifies the argument resolves to a valid Git ref via rev_parse.

CVE-2025-68145: Path Validation Bypass (CVSS 7.1)
CWE-22 (Path Traversal) · Affected: < 2025.12.18 · GHSA-j22h-9j4x-23w5

The --repository flag is supposed to restrict the MCP server to a specific configured repository path. The git_diff and git_log functions accepted repo_path directly from user arguments without validation against the configured restriction. The security boundary was entirely cosmetic: an attacker could pass any path and operate on any repository on the system.

Fix: Path validation enforced in version 2025.12.18.

The attack chain: from init to code execution

These three vulnerabilities chain together with the Filesystem MCP server to achieve remote code execution without direct shell access:

  1. Create a repo anywhere (CVE-2025-68143): Use git_init to initialize a repository in any writable directory.
  2. Write a malicious payload: Use the Filesystem MCP server to write a bash script into the new repository.
  3. Weaponize Git filters: Use the Filesystem MCP server to write to .git/config and .gitattributes, configuring Git "clean" and "smudge" filters that execute the payload.
  4. Trigger execution: When any subsequent Git operation triggers the filter, the payload executes.
The entire chain can be triggered through indirect prompt injection. A malicious README, a poisoned GitHub issue, or a compromised webpage that the AI assistant reads. The LLM follows the injected instructions and calls the MCP tools on the attacker's behalf. No credentials, no shell access, no direct interaction with the target.

The Filesystem MCP Server: Sandbox Escape

Cymulate Research Labs discovered two vulnerabilities in Anthropic's Filesystem MCP server, collectively named "EscapeRoute."

CVE-2025-53110: Directory Containment Bypass (CVSS 7.3)
CWE-22 (Path Traversal) · Fixed: 2025.7.1

The server used path.startswith(allowed_dir) validation, which is trivially bypassable. If the allowed directory was /tmp/allowed_dir, an attacker could create /tmp/allowed_dir_evil and it would pass the check. Enables unrestricted listing, reading, and writing outside the sandbox.

CVE-2025-53109: Symlink Bypass to Code Execution (CVSS 8.4)
CWE-59 (Symlink Following) · Fixed: 2025.7.1

Crafted symlinks bypassed access enforcement entirely. Attackers could create symbolic links pointing to sensitive system files like /etc/sudoers, gaining full read/write access. Since LLM workflows often run with elevated user privileges, successful exploitation can translate into root-level compromise.

The SQLite MCP Server: Unpatched SQL Injection

This is the most troubling case. Trend Micro researcher Park discovered that Anthropic's SQLite MCP server directly concatenates unsanitized user input into SQL statements. No parameterized queries. No filtering. No validation. Textbook SQL injection (CWE-89).

Park reported the vulnerability to Anthropic on June 11, 2025 via responsible disclosure. Anthropic's response: "Out of scope." The repository had been archived on May 29, 2025, and Anthropic classified it as a demo implementation with no obligation to patch.

The problem: the SQLite server had been forked over 5,000 times before archival. Developers used it as a template for their own database integrations. Those forks inherited the SQL injection vulnerability. They exist inside production agents today. No CVE was assigned. No advisory was published. The vulnerable code propagated silently.

SQL injection in an AI agent context is worse than in a traditional web application. Trend Micro demonstrated an attack chain where injected SQL payloads become stored prompt injections. The attacker writes malicious prompts into the database. When the LLM later queries the database, it retrieves and follows those prompts. One injected record can hijack the agent, trigger data theft, and propagate to other connected MCP servers.

mcp-remote: CVSS 9.6 Command Injection

CVE-2025-6514: OS Command Injection via OAuth Flow (CVSS 9.6)
CWE-78 (OS Command Injection) · Affected: 0.0.5 through 0.1.15 · Fixed: 0.1.16 · GHSA-6xpm-ggf7-wc3p

Discovered by JFrog Security Research. mcp-remote is an npm proxy package that enables MCP clients to communicate with remote servers over OAuth. During the OAuth flow, the package requests the authorization_endpoint URL from the remote server and passes it to the open npm package to launch a browser. On Windows, this becomes a PowerShell encoded command. A malicious server can return a crafted URL that injects OS commands.

437,000+ downloads at discovery. 558,000+ by later reports. The attacker only needs to convince a user to connect to their malicious MCP server. No other interaction required.

This was the first documented case of full remote code execution against an MCP client in a real-world scenario. Not a theoretical attack. Not a contrived setup. A user connects to a malicious MCP server and gets arbitrary code execution.

CVE-2026-27735: Path Traversal in git_add

Even after the first three Git server CVEs were patched, another vulnerability was discovered. The git_add tool did not validate that file paths in the files argument were within the repository boundary. Paths with ../ sequences resolving outside the repository were accepted and staged.

The attack: stage sensitive files like /etc/shadow or ~/.ssh/id_rsa, then use git_commit and git_push to exfiltrate them to a repository the attacker controls. Fixed in version 2026.1.14.

The broader pattern: Endor Labs data

Endor Labs systematically analyzed 2,614 MCP implementations and found the same vulnerability classes reproduced across the ecosystem:

  • 82% use file system operations prone to path traversal (CWE-22)
  • 67% use sensitive APIs related to code injection (CWE-94)
  • 34% use sensitive APIs related to command injection (CWE-78)
  • 5-7% use APIs tied to XSS, SQL injection, and open redirect
  • ~75% of MCP servers were built by individuals without enterprise-grade security practices

The common architectural assumption: inputs from LLMs or MCP components can be trusted. They cannot. Every document, webpage, email, or API response an LLM reads is a potential prompt injection vector. When that injection reaches a tool with path traversal, argument injection, or SQL injection vulnerabilities, the agent becomes the exploit delivery mechanism.

What Aguara detects today

Every vulnerability class in this analysis maps to at least one Aguara detection category. Here is the mapping:

Vulnerability Class Aguara Category Rules
Path traversal (CWE-22) Credential Leak + Data Exfiltration 19 + 16
Argument injection (CWE-88) Command Execution 16
SQL injection (CWE-89) Command Execution + Toxic Flow 16 + 3
OS command injection (CWE-78) Command Execution 16
Symlink bypass (CWE-59) Supply Chain 15
Directory containment bypass Credential Leak + SSRF 19 + 10
Unverified downloads (npx -y) External Download 17
Tool description injection MCP Attack + Prompt Injection 12 + 17
Credential exfiltration via git Credential Leak + Data Exfiltration 19 + 16

Specific detection examples

The Git server attack chain involves accessing sensitive files, creating repositories in arbitrary locations, and using Git filters for code execution. Aguara's Credential Leak rules detect access patterns targeting ~/.ssh/id_rsa, ~/.aws/credentials, /etc/shadow, and similar sensitive paths. Command Execution rules catch subprocess calls with unsanitized arguments. Supply Chain rules flag modifications to Git configuration files and filter setups.

The SQLite injection manifests as unsanitized input flowing to database operations. Toxic Flow rules detect source-to-sink taint patterns where user-controlled input reaches database execution without parameterization.

The mcp-remote command injection follows the classic pattern of external input passed to OS execution. Command Execution rules cover subprocess.run with shell=True, eval()/exec(), and equivalents across Python, Node.js, and other runtimes.

The Filesystem sandbox escape is detectable through the file access patterns it enables. Once an attacker breaks out of the sandbox, they access credentials, system files, and network configurations. Credential Leak and SSRF rules catch the operations that make sandbox escapes valuable to attackers.

# Scan your MCP setup for these vulnerability patterns
aguara scan --auto --severity high

# Scan a specific MCP server implementation
aguara scan ./mcp-server/ --category command-execution,credential-leak,supply-chain

# Check the live ecosystem data
# watch.aguarascan.com

The timeline problem

The disclosure timelines tell a story about how MCP security is being handled:

Event Date Gap
CVE-2025-68143 reported to Anthropic Jun 24, 2025
Anthropic accepts report Sep 10, 2025 78 days
First fix (git_init removed) Sep 25, 2025 93 days
Remaining CVEs patched Dec 18, 2025 177 days
Public disclosure Jan 20, 2026 210 days
SQLite injection reported Jun 11, 2025
Anthropic: "Out of scope" Jun 2025 Never fixed

The Git server vulnerabilities went unpatched for six months. The SQLite server was never fixed. Meanwhile, developers were building production integrations using these servers as their reference.

Why reference implementations matter more than you think

When the creators of a protocol ship reference implementations, they set the security baseline for the entire ecosystem. Developers copy patterns from reference code. They inherit assumptions about input validation, access control, and trust boundaries. If the reference implementation trusts MCP inputs implicitly, every downstream implementation will too.

This is exactly what happened. Endor Labs found that approximately 75% of MCP servers were built by individuals following these reference implementations as templates. The path traversal patterns, the missing input validation, the implicit trust of LLM-provided arguments: these are not independent mistakes. They are inherited patterns from code that was supposed to be the gold standard.

The irony is sharp. Anthropic created MCP to safely connect AI models to external tools. Their own reference implementations shipped with path traversal, argument injection, SQL injection, sandbox escapes, and command injection. The protocol designed for safe tool integration taught the ecosystem to be insecure.

What to do right now

  1. Audit your MCP server implementations. If your code was derived from any Anthropic reference server, check that you are running the patched versions. The Git server needs 2026.1.14+. The Filesystem server needs 2025.7.1+. The mcp-remote package needs 0.1.16+.
  2. Check for SQLite server forks. If you or anyone on your team forked the SQLite MCP server before it was archived, that code has unpatched SQL injection. Migrate to parameterized queries.
  3. Scan your MCP configuration. Run aguara scan --auto to auto-discover Claude Desktop, Cursor, Windsurf, and 14 other MCP client configurations. It detects the vulnerability patterns documented in this post.
  4. Monitor the ecosystem. Aguara Watch scans 43,000+ skills across 7 registries four times daily. Vulnerability patterns like these propagate through forks and copies. Continuous monitoring catches them.
  5. Treat MCP inputs as untrusted. The fundamental assumption behind every CVE in this post is that inputs from the LLM or MCP client can be trusted. They cannot. Validate, sanitize, and constrain every parameter at every tool boundary.
Runtime defense matters too. Static scanning catches the vulnerability patterns before deployment. Runtime enforcement blocks exploitation attempts as they happen. For runtime scanning of every MCP tool call with 169 detection rules, identity verification, and per-agent policies, see the Oktsec MCP Gateway.

The reference implementations are fixed now (except SQLite). The ecosystem they shaped is not. The patterns they taught are embedded in thousands of downstream implementations. Scan your tools. Validate your inputs. Do not assume that because a server comes from a trusted source, it was built securely.

The protocol creators shipped vulnerable code. The lesson is not that they failed. The lesson is that nobody is exempt from security review, and MCP tools need the same rigor we apply to any other attack surface.

Scan your MCP setup for these vulnerability patterns

Aguara detects path traversal, argument injection, command execution, credential exposure, and every other vulnerability class documented in this post. 153 rules, 13 categories. Open source.

Get Aguara on GitHub Aguara Watch Oktsec Runtime