GitHub MCP Vulnerability

GitHub MCP gives full access to your GitHub repos (including private repo), ability to read/write issues, PR, etc

TLDR Version

An attacker can places a malicious issue like this and make the AI Agents to leak private information

How does it work?

1. An attacker will create a malicious prompt as issue in a public repo
2. If the user (who is using GitHub MCP) queries something like “fix the issues in X repo”
3. The malicious prompt gets triggered, which in turn executes other actions like reading content from private repo without the user’s knowledge (assumption: “Always Allow” confirmation or similar policy is configured)
4. Then the information gets leaked in public repo 🙈

Lesson

When using/building/experimenting with MCP, we need to be mindful of the attack like this and try to reduce the potential vulnerabilities

Credits

• Invariantlabs.ai for sharing about the attack and also illustrations

References

• https://invariantlabs.ai/blog/mcp-github-vulnerability
• https://simonwillison.net/2025/May/26/github-mcp-exploited/

Happy building apps!