ICUICU
critical

@cyanheads/git-mcp-server

v2.8.4

A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.

npmcyanheadsFirst seen Feb 22, 2026

5

Total

2

Critical

1

High

2

Medium

Findings

unknown
criticalDE-002Data ExfiltrationHigh ConfidenceLine 0

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    168: ## ⚙️ Configuration
    169: 
>>> 170: All configuration is centralized and validated at startup in `src/config/index.ts`. Key environment variables in your `.env` file include:
    171: 
    172: | Variable                       | Description                                                                                                                                               | Default     |
Report false positive
criticalOB-004ObfuscationMedium ConfidenceLine 0

Zero-width character detected (potential hidden content)

Detected by automated pattern matching (rule OB-004) with medium confidence. May be a false positive.

    326: **For Developers**: When creating custom tools, always include complete data in your `responseFormatter`. Balance human-readable summaries with comprehensive structured information. See [`AGENTS.md`](AGENTS.md) for response formatter best practices and the [MCP specification](https://modelcontextprotocol.io/specification/2025-11-25/server/tools) for technical details.
    327: 
>>> 328: ## 🧑‍💻 Agent Development Guide
    329: 
    330: For strict rules when using this server with an AI agent, refer to the **`AGENTS.md`** file in this repository. Key principles include:
Report false positive
highSC-005Suspicious CommandsMedium ConfidenceLine 0

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    130: Plus, specialized features for **Git integration**:
    131: 
>>> 132: - **Cross-Runtime Compatibility**: Works seamlessly with both Bun and Node.js runtimes. Automatically detects the runtime and uses optimal process spawning (Bun.spawn in Bun, child_process.spawn in Node.js).
    133: - **Provider-Based Architecture**: Pluggable git provider system with current CLI implementation and planned isomorphic-git provider for edge deployment.
    134: - **Optimized Git Execution**: Direct git CLI interaction with cross-runtime support for high-performance process management, streaming I/O, and timeout handling (current CLI provider).
Report false positive
mediumEN-001unknownMedium ConfidenceLine 0

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

Report false positive
mediumOB-001ObfuscationMedium ConfidenceLine 0

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    8: <div align="center">
    9: 
>>> 10: [![Version](https://img.shields.io/badge/Version-2.8.4-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--11--25-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-11-25/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.26.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/git-mcp-server/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^5.9.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.2.21-blueviolet.svg?style=flat-square)](https://bun.sh/)
    11: 
    12: </div>
Report false positive

Scan History

DateRiskFindings
Feb 26, 2026critical5
Feb 23, 2026critical5
Feb 22, 2026critical5