The AI ecosystem is evolving rapidly. Just a few years ago, AI interactions were more contained and prescribed. Today, autonomous agents operate across SaaS platforms with minimal oversight, and LLMs connect to external data through MCP servers, expanding their reach and risk profile.
In the rush to market, many connected AI solutions shipped without adequate security. When Anthropic created the MCP open standard, it left security to users. Over a year later, even top-tier MCP servers contain serious vulnerabilities.
Two Major Exploits Revealed
On Jan. 20, Cyata disclosed an exploit chain weaponizing Anthropic's Git and filesystem MCP servers to achieve remote code execution. That same day, BlueRock revealed a severe SSRF vulnerability in Microsoft's MarkItDown MCP server, a flaw potentially affecting 36.7% of all MCP servers after analyzing over 7,000 of them.
The MarkItDown SSRF Problem
Microsoft's MarkItDown server, with 85,000+ GitHub stars, converts files to Markdown for LLMs. Users provide a URI, and MarkItDown fetches the file without validating the input. This enables SSRF attacks where users or attackers controlling their machines can access restricted network resources.
BlueRock demonstrated this on AWS EC2 instances. By pointing MarkItDown at the metadata service IP, they retrieved IAM credentials including access keys and session tokens. While IMDSv2 offers better protection, most AWS instances still run the vulnerable IMDSv1.
Microsoft's response: the issue doesn't create significant risk since it requires deliberate misuse outside normal usage patterns. BlueRock disagrees, arguing developers need clear guidance on implementing proper input constraints.
Anthropic's Own Servers Vulnerable
Cyata found three medium-severity bugs in Anthropic's official Git MCP server. CVE-2025-68145 (CVSS 6.4) bypasses path validation, allowing access outside restricted repositories. CVE-2025-68143 (CVSS 6.5) lets users create Git repos anywhere in the filesystem. CVE-2025-68144 (CVSS 6.3) weaponizes git_diff to empty or overwrite files.
Individually minor, but chained together with the Filesystem MCP server, these enable RCE through indirect prompt injection. An attacker could plant malicious content that instructs an AI to exploit these vulnerabilities, ultimately executing arbitrary code.
Cyata CEO Shahar Tal explains the core problem. On its own, each MCP server was relatively safe. But their interaction broke assumptions. Hyperconnected AI agents with multiple MCP servers create a toxic combination.
Cyata reported the issues in June. Anthropic patched them in December's 2025.12.18 release. If Anthropic gets it wrong in their official reference implementation, Tal notes, then everyone can get MCP security wrong. That's where we are today.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is an MCP server
MCP (Model Context Protocol) servers let AI assistants connect to external data sources and tools. They extend what LLMs can access and do beyond their training data.
What is SSRF and why does it matter
Server-Side Request Forgery lets attackers make a server fetch resources it shouldn't access. In MCP servers, this means accessing internal network resources or cloud credentials that should be restricted.
Are these vulnerabilities fixed now
Anthropic patched their Git MCP server in December 2025. Microsoft claims their MarkItDown issue doesn't pose significant risk and hasn't issued a patch. The broader problem affects thousands of other MCP servers.
How does indirect prompt injection work with MCP
Attackers hide malicious instructions in content the AI reads, like webpages or documents. The AI follows these hidden commands, exploiting vulnerabilities the user never intended to trigger.
What percentage of MCP servers are vulnerable
BlueRock's analysis of over 7,000 MCP servers suggests approximately 36.7% may contain similar SSRF vulnerabilities to the one found in Microsoft's MarkItDown server.