mcp-breach-to-fix-labs

The 'vulnerable' server component is intentionally designed to be highly insecure for demonstration purposes. It suffers from a critical prompt injection vulnerability where malicious instructions embedded in public GitHub issues are executed verbatim by the AI agent. This allows unauthorized tool calls to 'get_repo_webhooks' (exfiltrating sensitive webhook URLs and GitHub API tokens) and 'create_issue_comment' (posting these secrets back to a public issue). The 'secure' server component mitigates these risks through multi-layered defenses: (1) Role-Based Access Control (RBAC) with default-deny, (2) automatic permission demotion when untrusted public content is viewed, (3) sanitization of issue content to remove directives, and (4) output validation to prevent comments containing sensitive patterns. Due to the intentional vulnerabilities in the 'vulnerable' component, it is not safe for deployment outside of isolated lab environments.