GitHub MCP Exploited: Accessing Private Repositories via MCP
a year ago
- #github
- #vulnerability
- #cybersecurity
- Invariant discovered a critical vulnerability in GitHub MCP integration, allowing attackers to hijack a user's agent via a malicious GitHub Issue and leak private repository data.
- The attack involves creating a malicious issue in a public repository, which the agent interacts with, leading to unauthorized access and data exfiltration from private repositories.
- Invariant's automated security scanners identified this as a 'Toxic Agent Flow', where agents are manipulated into unintended actions like data leaks or executing malicious code.
- The vulnerability is not specific to any agent or MCP client but affects any agent using GitHub MCP server, highlighting a fundamental architectural issue.
- Mitigation strategies include implementing granular permission controls and continuous security monitoring with tools like Invariant Guardrails and MCP-scan.
- Model alignment alone is insufficient to prevent such attacks, emphasizing the need for system-level security measures.
- Invariant offers early access to their security program for organizations looking to secure their agent systems against similar vulnerabilities.