Capability Laundering in MCP 2: CVE-2025-68143 Anthropic Git MCP Server Path Traversal to Credential Exfiltration
What Happened In our previous analysis, we identified capability laundering in Anthropic’s Memory MCP Server: a “memory storage” tool that could write arbitrary configuration files through unconstrained implementation. This is the second case. The MCP Git Server (mcp-server-git) exposes Git operations to AI agents. The git_init tool accepts arbitrary repo_path values without validation, creating repositories in any filesystem location. Combined with git_diff_staged, this turns a “Git helper” into a credential exfiltration primitive. ...