Report 5264

GitHub MCP Exploited: Accessing private repositories via MCP
invariantlabs.ai · 2025

GitHub MCP Exploited: Accessing private repositories via MCP

We showcase a critical vulnerability with the official GitHub MCP server, allowing attackers to access private repository data. The vulnerability is among the first discovered by Invariant's security analyzer for detecting toxic agent flows.

Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories.

The issue is among the first, discovered by Invariant's automated security scanners for detecting so-called Toxic Agent Flows. In such a scenario, an agent is manipulated into performing unintended actions, such as leaking data or executing malicious code. For more information, see below.

It is highly relevant to raise awareness about this issue at this time, as the industry is racing to deploy coding agents and IDEs widely, potentially exposing users to similar attacks on critical software development tools.

Attack Setup

In this attack setup, the user is using an MCP client like Claude Desktop with the Github MCP server connected to their account.

We assume the user has created two repositories:

<user>/public-repo: A publicly accessible repository, allowing everyone on GitHub to create issues and bug reports.
<user>/private-repo: A private repository, e.g. with proprietary code or private company data.

By standard GitHub rules, an attacker can now create a malicious issue on the public repository, containing a prompt injection waiting for the agent to interact.

The actual attack triggers as soon as the user and owner of the GitHub account queries their agent with a benign request, such as Have a look at the open issues in <user>/public-repo, which will lead to the agent fetching the issues from the public repository and getting injected.

As shown here, as soon as the agent encounters the malicious GitHub issue, it can be coerced into pulling private repository data into context, and leaking it in an autonomously-created PR in the public repository, freely accessible to the attacker or anyone else.

Toxic Flows We call this use of indirect prompt injection to trigger a malicious tool use sequence, a toxic agent flow. We have found this vulnerability by applying Invariant's security analyzer to GitHub MCP, allowing us to automate the process of discovering the flow in the wild.

Attack Demonstration

To illustrate more concretely, we implement this attack practically using a set of demo repositories:

  • ukend0464/pacman: A public repository with a simple implementation of a Pacman game (available here)
  • Multiple private repositories containing personal projects and sensitive information about the user.

'About The Author' injection We now place a malicious issue in the public repository, which is accessible to the attacker. The issue contains a payload that will be executed by the agent as soon as it queries the public repository's list of issues.

User Interaction To trigger the attack, the user merely prompts Claude 4 Opus with the following request: "Have a look at issues in my open source repo pacman and address them!"

Claude then uses the GitHub MCP integration to follow the instructions. Throughout this process, Claude Desktop by default requires the user to confirm individual tool calls. However, many users already opt for an “Always Allow” confirmation policy when using agents, and stop monitoring individual actions.

Attack Rollout The agent now goes through the list of issues until it finds the attack payload. It willingly pulls private repository data into context, and leaks it into a pull request of the pacman repo, which is freely accessible to the attacker since it is public.

Claude then uses the GitHub MCP integration to follow the instructions. Throughout this process, Claude Desktop by default requires the user to confirm individual tool calls. However, many users already opt for an “Always Allow” confirmation policy when using agents, and stop monitoring individual actions.

Attack Rollout The agent now goes through the list of issues until it finds the attack payload. It willingly pulls private repository data into context, and leaks it into a pull request of the pacman repo, which is freely accessible to the attacker since it is public.

Detecting Toxic Agent Flows

Unlike previously-discovered tool poisoning attacks with MCP, this vulnerability does not require the MCP tools themselves to be compromised. Instead, the issue emerges even with fully trusted tools, as agents can be exposed to untrusted information when connected to external platforms like GitHub.

Understanding, analyzing, and mitigating such issues in agentic systems is a highly complex undertaking that's difficult to perform manually and at scale. To address this challenge, Invariant has developed automated methods for detecting toxic agent flows, enabling organizations to identify and model potential threats before they can be exploited by malicious actors.

...

Scope and Mitigations

While our experiments focused on Claude Desktop, the vulnerability is not specific to any particular agent or MCP client. It affects any agent that uses the GitHub MCP server, regardless of the underlying model or implementation.

Importantly, this is not a flaw in the GitHub MCP server code itself, but rather a fundamental architectural issue that must be addressed at the agent system level. This means that GitHub alone cannot resolve this vulnerability through server-side patches.

We thus recommend the following two key mitigation strategies to prevent such attacks and strengthen the security posture of your agent systems.

1. Implement Granular Permission Controls

When using MCP integrations like GitHub's, it's critical to limit agent access to only the repositories it needs to interact with—following the principle of least privilege. While traditional token-based permissions offer some protection, they often impose rigid constraints that limit an agent's functionality.

...

2. Conduct Continuous Security Monitoring

Beyond preventative measures, implement robust monitoring solutions to detect and respond to potential security threats in real time. We recommend deploying specialized security scanners such as Invariant's MCP-scan to continuously audit interactions between agents and MCP systems.

...

Conclusion

In this blog post, we have shown a critical vulnerability affecting the GitHub MCP server, allowing attackers to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories. The vulnerability is among the first discovered by Invariant's security analyzer for detecting toxic agent flows.

...

Read the Source