Exfiltrate information from private repositories #844
Description
Invariant Labs published this vulnerability on May 26, 2025.
I reproduced the issue using OAuth and personal access tokens.
- I created a broad-scope token with all permissions and a token with only permission to public repositories. The token with only permission to public repositories did read the private repositories but not write information from them.
- OAuth does not specify to what I am allowing access.
Questions:
- Have you responded to this exploit?
- Was there a fix?
- Is there a CVE?
- How can github-mcp-server users protect their private repositories?
Describe the bug
Prompt injection via public repository issues can result in LLM agents publishing information from private repositories to public repositories.
Steps to reproduce the behavior
- Create public and private repositories on GitHub. Add a README to each. The repos can be otherwise blank.
- Add an issue to the public repository
- Prompt
Please check for issues in mcp-night and fix them(mcp-night is a public repository)
Expected vs actual behavior
Actual:
Expected:
Information would not leak from the private repository.
Logs
Technically, there is human-in-the-loop verification, but realistically, users cannot be expected to click "See More" before clicking the much bigger "Continue" button
Output of clicking "See More" provides a preview of what will happen upon clicking "Continue"
