Exfiltrate information from private repositories

[sei-renae]

Invariant Labs published this vulnerability on May 26, 2025. I reproduced the issue using OAuth and personal access tokens.

• I created a broad-scope token with all permissions and a token with only permission to public repositories. The token with only permission to public repositories did read the private repositories but not write information from them.
• OAuth does not specify to what I am allowing access.

Questions:

1. Have you responded to this exploit?
2. Was there a fix?
3. Is there a CVE?
4. How can github-mcp-server users protect their private repositories?

Describe the bug

Prompt injection via public repository issues can result in LLM agents publishing information from private repositories to public repositories.

Steps to reproduce the behavior

1. Create public and private repositories on GitHub. Add a README to each. The repos can be otherwise blank.
2. Add an issue to the public repository

3. Prompt Please check for issues in mcp-night and fix them (mcp-night is a public repository)

Expected vs actual behavior

Actual:

Expected:

Information would not leak from the private repository.

Logs

Technically, there is human-in-the-loop verification, but realistically, users cannot be expected to click "See More" before clicking the much bigger "Continue" button

Output of clicking "See More" provides a preview of what will happen upon clicking "Continue"

[kanikire-deshaw]

Is this issue addressed now?

Are there any best practices from GitHub w.r.t configuration to prevent the data exfiltration?