In an interview, Porat suggested there wasn’t much that infosec leaders or developers could have done between the discovery of the vulnerability and the release of the more secure version of Git MCP Server. A prompt injection attack would work on the unpatched version even in its most secure configuration, he said.
“You need guardrails around each [AI] agent and what it can do, what it can touch,” Tal added. “You need to also, if there is an incident, be able to look back at everything the agent did.”
The problem with MCP servers is that they give the LLM access to execute sensitive functions, commented Johannes Ullrich, dean of research at the SANS Institute. “How much of a problem this is depends on the particular features they have access to. But once an MCP server is configured, the LLM will use the content it receives to act on and execute code (in this case, in git).
