Critical MCP Server Flaws Turn AI Assistants Into Gateways for Cloud and RCE Attacks

Cybersecurity researchers have disclosed critical vulnerabilities in widely used MCP servers that exposed how AI-powered tools can quickly turn into high-risk attack surfaces. The flaws could be exploited to enable cloud account takeovers, arbitrary file access, and even full remote code execution.

A Model Context Protocol (MCP) server is a system that connects AI assistants to external tools, data sources, and services, which allows them to perform real-world actions based on the model’s decisions. It acts as a bridge between an LLM and resources like filesystems, databases, APIs, or developer utilities by exposing specific capabilities the AI can invoke. It allows the model to read, modify, or retrieve information from these systems in a structured way.

On January 20, Cayata researchers disclosed three critical vulnerabilities in Anthropic’s official Git MCP server that can be exploited by hackers to perform remote code execution. Meanwhile, BlueRock researchers have also found a major SSRF vulnerability in Microsoft’s MarkItDown MCP server.

Critical RCE flaws in Anthropic’s Git MCP Server

According to Cyata researchers, the unrestricted git_init vulnerability (CVE-2025-68143) could allow the creation of Git repositories in arbitrary filesystem locations. Moreover, the path‑validation bypass flaw (CVE-2025-68145) enables access to files or repositories outside approved directories. The argument‑injection vulnerability (CVE‑2025‑68144) in Git commands passes unvalidated user‑controlled parameters directly to Git.

Hackers could chain these vulnerabilities to read or delete arbitrary files, overwrite system files, and achieve remote code execution (RCE) via Git “clean/smudge” filters and malicious .git/config manipulation. In December 2025, Anthropic released security patches to remove risky components such as git_init and improve validation.

Microsoft MarkItDown MCP Server hit by severe SSRF vulnerability

On the other hand, the server-side request forgeries (SSRF) vulnerability (dubbed MCP fURI) in Microsoft’s MarkItDown MCP server allows arbitrary URI fetching without any restrictions. This means that attackers or compromised agents can direct the server to access any internal or external HTTP or file resource.

When the MCP server runs on Amazon Web Services (AWS) EC2 instances using IMDSv1, this flaw allows an attacker to query instance metadata and extract AWS credentials, which could lead to full cloud account compromise. This research found that many MCP servers show similar unbounded network fetch behavior, which leaves a large portion of deployments exposed to SSRF and privilege‑escalation attacks. The newer AWS metadata service (IMDSv2) offers stronger protection against SSRF attacks, but since most AWS instances still rely on the more vulnerable IMDSv1, the risk remains significant.

“After investigation we found the reported scenario does not create significant risk for our customers, as it requires a user to deliberately employ the feature in a way that is outside its intended design and normal usage patterns,” a Microsoft spokesperson said in a statement to Dark Reading.

BlueRock’s study of more than 7,000 MCP servers shows that many share the same SSRF exposure, which points to a broad pattern of insecure implementations across the ecosystem. Similarly, Cyata’s findings show that Anthropic’s Git MCP server serves as a reference model, and numerous third‑party MCP servers may unintentionally replicate its vulnerabilities.

How organizations can reduce MCP security risks?

Organizations should strengthen their MCP security posture by enforcing strict input validation, limiting what resources MCP servers can access, and ensuring components such as URI handlers are properly bounded to prevent unintended network calls. BlueRock specifically suggests addressing gaps in MCP implementations and using more secure cloud metadata services like AWS IMDSv2 to reduce SSRF exposure.

Additionally, organizations should promptly apply security updates and review how different MCP servers and tools interact within their environments. Cyata also recommends restricting tool combinations, treating all MCP tool inputs as untrusted, and auditing agent permissions holistically to prevent chained exploits and minimize the impact of prompt‑injection attacks.