[ ⌘K ]
← BACK TO SEARCH

sidgupt12/git-mcp-server

critical

MCP server to communicate with github repo without the need to run docker

MCP server (purpose undetermined)

purpose: MCP server (purpose undetermined)threat: network exposed
TypeScript5May 20, 2026May 20, 2026GITHUB
Vulnerability Analysis[ 5 findings in 5 blocks ]
5/20/2026
high1 finding
src/index.ts
654server.tool(
655  "delete-repository",
656  {
657    owner: z.string().describe("Repository owner"),
658    repo: z.string().describe("Repository name"),
659    confirmation: z.boolean().describe("Confirmation to delete (must be true)")
660  },
661  async ({ owner, repo, confirmation }) => {
662    try {
663      if (!confirmation) {
664        return { ... };
665      }
666      // ... deletion logic
667    } catch (error) { ... }
668  }
669);
src/index.ts:654

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.

The 'delete-repository' tool allows any repository to be deleted as long as the token has permissions. The only safeguard is a boolean confirmation parameter, which can be easily set to true by an attacker or a compromised LLM. There is no restriction on which repositories can be deleted (e.g., only repos created by this server).

ImpactAn attacker could delete any GitHub repository accessible by the token, causing permanent data loss.

FixRestrict deletion to repositories created by this server or require additional authorization (e.g., a separate admin token). Add rate limiting and audit logging.

high1 finding
src/index.ts
7const octokit = new Octokit({ auth: process.env.GITHUB_PERSONAL_ACCESS_TOKEN });
src/index.ts:7

// Exploitable if the MCP server's environment is compromised or if logs are exposed.

The GitHub Personal Access Token is read from an environment variable and used directly. While this is a common pattern, the token is not encrypted or masked in logs, and if the environment is compromised, the token is exposed.

ImpactAn attacker with access to the environment or logs could steal the token and perform unauthorized GitHub API calls, including reading private repos, deleting repos, or modifying code.

FixUse a secrets manager or encrypted storage for the token. Ensure environment variables are not logged. Consider using short-lived tokens or OAuth flows.

high1 finding
src/index.ts
494server.tool(
495  "create-repository",
496  {
497    owner: z.string().optional(),
498    name: z.string(),
499    description: z.string().optional(),
500    private: z.boolean().default(false),
501    files: z.array(z.object({
502      path: z.string(),
503      content: z.string(),
504    })).optional(),
505    initializeWithReadme: z.boolean().default(true)
506  },
507  async ({ owner, name, description, private: isPrivate, files, initializeWithReadme }) => {
508    // ... creates repo and optionally adds files
509  }
510);
src/index.ts:494

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.

The 'create-repository' tool allows creating repositories with arbitrary file content. While this is the intended purpose, the scope is excessive because it can create repositories under any organization the token has access to, and can push arbitrary code. This could be used to create malicious repositories or exfiltrate data via file content.

ImpactAn attacker could create repositories with malicious code, exfiltrate data by encoding it in file content, or abuse the token's permissions to create repos in unauthorized organizations.

FixRestrict repository creation to a specific user or organization. Validate file paths to prevent path traversal. Limit file content size and type.

medium1 finding
src/index.ts
22const owner = Array.isArray(params.owner) ? params.owner[0] : params.owner;
23const repo = Array.isArray(params.repo) ? params.repo[0] : params.repo;
src/index.ts:22-23

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.

The owner and repo parameters are not validated against a whitelist or pattern. They are passed directly to GitHub API calls. While GitHub API has its own validation, this could allow accessing repositories outside the intended scope (e.g., any public repo).

ImpactAn attacker could query or modify any repository accessible by the token, including private repos of other organizations if the token has broad permissions.

FixValidate owner and repo against a list of allowed repositories or enforce a pattern (e.g., only repos owned by the authenticated user).

medium1 finding
src/index.ts
501files: z.array(
502  z.object({
503    path: z.string().describe("File path including name (e.g. 'README.md' or 'src/index.js')"),
504    content: z.string().describe("Content of the file"),
505  })
506).optional()
src/index.ts:501-506

// Exploitable if MCP is exposed to untrusted prompts or if LLM is compromised.

The file path parameter is not validated to prevent path traversal (e.g., '../../etc/passwd'). While GitHub API may reject some paths, it's possible to create files with unexpected paths that could overwrite important files in the repository.

ImpactAn attacker could create files with path traversal sequences to overwrite critical files in the repository (e.g., .git/config, CI/CD configuration).

FixValidate file paths to ensure they are within the repository root and do not contain path traversal sequences (e.g., '..' or absolute paths).

Heuristic Signals
github.accessshell.execenv.exposure

Risk Score

100
LLM-based
high findings+75
medium findings+30