Full Report
The Model Context Protocol (MCP) is a standard for how AI models can interact with external data sources and tools. This is important for cases where the model needs context-specific information from the user or the company that is somewhat dynamic, such as calendar information. On GitHub, there is an implementation of MCP for getting GitHub information, such as issues that has a vulnerability in it. The attack setup assumes there are two repos: a public and a private repo. When the GitHub MCP server gathers the information from the public repo (such as issues that anyone can open), there is the possibility of prompt injection. Once the session is poisoned, the LLM can use further privileges to do malicious things. The LLM can be tricked into using existing MCP integrations to leak information on private repos now. For instance, it can create a PR or create an issue on a public repository with the data from the private repo. It's pretty neat that the public data can be used for prompt injection to perform dangerous actions. Fixing this issue is not super straightforward, though - this is an architecture design flaw in the GitHub integration. Using more fine-grained access controls on GitHub tokens sorta works; however, the company has a tool for context-aware access control that's interesting. Although I did enjoy the vulnerability, there is too much marketing in the post for my taste.
Analysis Summary
# Vulnerability: Indirect Prompt Injection in GitHub MCP Server (Toxic Agent Flow)
## CVE Details
- **CVE ID**: Not Yet Assigned (Discovered by Invariant Labs)
- **CVSS Score**: High (Estimated 7.5 - 8.2)
- **CWE**: CWE-506 (Embedded Malicious Code), CWE-917 (Expression Language Injection / Prompt Injection)
## Affected Systems
- **Products**: GitHub Model Context Protocol (MCP) Server
- **Versions**: All versions prior to architectural mitigation (Inferred from GitHub repository `github/github-mcp-server`)
- **Configurations**: Any LLM client (e.g., Claude Desktop) integrated with the GitHub MCP server where the authenticated user has access to both public and private repositories.
## Vulnerability Description
The GitHub MCP server suffers from a design flaw that allows for **Indirect Prompt Injection**. When an agent fetches data from a public source (such as issues in a public repository), it may ingest a "toxic" payload planted by an attacker.
Because the LLM shares a single session context and a high-privilege GitHub Auth Token for both public and private data, the injected instructions can coerce the agent into performing "Toxic Agent Flows." In this specific exploit, the agent is tricked into reading data from the user’s **private repositories** and exfiltrating that sensitive information by creating a Pull Request or Issue in an **attacker-controlled public repository**.
## Exploitation
- **Status**: PoC available (Demonstrated by Invariant Labs)
- **Complexity**: Low
- **Attack Vector**: Network (Remote via malicious GitHub Issue)
## Impact
- **Confidentiality**: High (Access to proprietary code, private company data, and personal information)
- **Integrity**: Medium (Unauthorized creation of PRs/Issues and potential modification of repository state)
- **Availability**: Low (No direct service disruption reported)
## Remediation
### Patches
- No specific software patch version is listed; the original report suggests this is an **architectural design flaw** inherent in how the MCP server uses GitHub tokens.
### Workarounds
- **Fine-grained Access Tokens**: Use GitHub Personal Access Tokens (PATs) with the narrowest possible scopes (e.g., read-only for specific repos).
- **Manual Confirmation**: Disable "Always Allow" policies in MCP clients (like Claude Desktop) to manually inspect every tool call and outgoing data transfer.
- **Context Isolation**: Use separate MCP server instances or accounts for public versus private repository interactions.
## Detection
- **Indicators of Compromise**:
- Unexpected `get_contents` or `list_repositories` tool calls following a `get_issue` call on a public repo.
- Automated Pull Requests or Issues containing data that originated from private sources.
- **Detection methods and tools**:
- **Invariant Labs MCP-scan**: A security scanner designed to detect toxic flows in agentic workflows.
- **Guardrails**: Implementation of system-level interceptors to monitor and block data flow from private contexts to public outputs.
## References
- Invariant Labs Advisory: hxxps://invariantlabs[.]ai/blog/mcp-github-vulnerability
- GitHub MCP Server Repository: hxxps://github[.]com/github/github-mcp-server
- Invariant Explorer (Trace): hxxps://explorer[.]invariantlabs[.]ai/u/lbeurerkellner/claude-github-mcp-exploit/t/0?tab=traces