mcpsec 1.0.1

Security scanner and protocol fuzzer for MCP (Model Context Protocol) servers. Found and reported vulnerabilities in official Anthropic and GitHub MCP implementations.

⚡ mcpsec

Security scanner for MCP (Model Context Protocol) server implementations.

MCP is the universal protocol connecting AI agents (Claude, ChatGPT, Gemini, Cursor) to external tools and data sources. It's adopted by every major AI company — Anthropic, OpenAI, Google, Microsoft. Its security is broken. mcpsec finds the vulnerabilities.

  ███╗   ███╗ ██████╗██████╗ ███████╗███████╗ ██████╗
  ████╗ ████║██╔════╝██╔══██╗██╔════╝██╔════╝██╔════╝
  ██╔████╔██║██║     ██████╔╝███████╗█████╗  ██║     
  ██║╚██╔╝██║██║     ██╔═══╝ ╚════██║██╔══╝  ██║     
  ██║ ╚═╝ ██║╚██████╗██║     ███████║███████╗╚██████╗
  ╚═╝     ╚═╝ ╚═════╝╚═╝     ╚══════╝╚══════╝ ╚═════╝

Why?

• 82% of MCP implementations have path traversal vulnerabilities (Endor Labs)
• 67% are vulnerable to code injection
• ~2,000 internet-exposed MCP servers found with zero authentication (Knostic)
• Anthropic's own Git MCP server had 3 critical RCE vulnerabilities (CVE-2025-68143/44/45)
• Nobody built an open-source scanner for this. Until now.

Proven Results

mcpsec has been used to discover and responsibly report multiple vulnerabilities across official MCP implementations by major technology companies. Findings include transport-layer crashes, unhandled exception panics, and protocol-level denial of service issues affecting the Python SDK, TypeScript SDK, and Go SDK ecosystems.

• 5 bugs reported across Anthropic and GitHub MCP implementations
• 3 SDK ecosystems affected (Python, TypeScript, Go)
• Fixes submitted within hours of initial reports
• Reproduced known CVEs: CVE-2025-53967 (Figma MCP), CVE-2025-53818 (Kanban MCP)
• SQL injection confirmed in community MCP servers via static analysis

Details will be published following responsible disclosure timelines.

Install

pip install mcpsec

Quick Start

# Scan an MCP server running via stdio
mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"

# 💥 Run Mega Fuzzer (500+ security test cases)
mcpsec fuzz --stdio "python my_server.py" --intensity high

# 🧠 Run AI-Powered Fuzzing (Context-aware adversarial payloads)
# Requires OPENAI_API_KEY
mcpsec fuzz --stdio "python my_server.py" --ai

# Enumerate attack surface
mcpsec info --stdio "python my_server.py"

# Static Audit (Source Code Analysis)
mcpsec audit --path . --ai

# List available scanners
mcpsec list-scanners

Mega Fuzzer (New in v1.0.1)

mcpsec v1.0.1 introduces a significantly expanded fuzzing engine designed to find edge cases in MCP protocol handlers and tool implementations, along with critical fixes for OS-level buffer deadlocks preventing deep scanning of huge target stacks like the Kubernetes server.

• 500+ Security Test Cases: Exhaustive coverage for malformed JSON, protocol violations, type confusion, boundary values, and encoding attacks.
• AI-Powered Payloads: Use --ai to leverage LLMs to generate context-aware adversarial payloads based on your server's specific tool schemas.
• Enhanced Reliability: Completely resolved a major "Fuzzer State Desync" bug that caused pipe deadlocks when target servers crashed under intense payloads.
• Custom Timeouts: Use --timeout (default 5.0s) to accommodate slower target servers like Puppeteer without triggering premature hang detections.
• Refined Intensity Tiers:
  • low: Core protocol smoke tests (~65 cases)
  • medium: Standard security baseline (~150 cases)
  • high: Full regression suite (500+ cases)
  • insane: Includes resource exhaustion and DoS patterns
  • ai: High intensity + AI-generated payloads

Scanners

Scanner	Type	What It Detects
prompt-injection	Static	Hidden instructions, base64-encoded payloads, cross-tool manipulation, data exfiltration indicators in tool descriptions
auth-audit	Static	Missing authentication, over-permissioned tools, dangerous tool combinations, misleading annotations
path-traversal	Dynamic	File path traversal via ../../ payloads — proves exploitation with actual file contents
command-injection	Dynamic	OS command injection via shell escape characters — proves exploitation with command output
ssrf	Dynamic	Server-Side Request Forgery targeting cloud metadata endpoints and internal services
protocol-fuzzer	Dynamic	(500+ Cases) Malformed JSON-RPC, boundary testing, state-machine violations, type confusion to find crashes
ai-payloads	Dynamic	(New) Context-aware payloads generated by LLMs (SQLi, Logic bugs, Edge cases)

How It Works

┌─────────┐     MCP Protocol      ┌────────────┐
│ mcpsec  │ ◄──── JSON-RPC ────►  │ Target MCP │
│ client  │    (stdio or HTTP)    │   Server   │
└────┬────┘                       └────────────┘
     │
     ├── 1. Connect (stdio subprocess or HTTP)
     ├── 2. Enumerate tools, resources, prompts  
     ├── 3. Run static scanners (analyze descriptions)
     ├── 4. Generate & Run dynamic payloads (Fuzzing + AI)
     └── 5. Report findings with evidence + remediation

Features

• ✅ Prompt injection scanner
• ✅ Authentication & authorization audit
• ✅ Path traversal scanner (dynamic proof-of-exploitation)
• ✅ Command injection scanner (dynamic proof-of-exploitation)
• ✅ SSRF scanner
• ✅ JSON report output
• ✅ Static source code analysis with Semgrep rules
• ✅ Protocol Fuzzer (500+ adversarial test cases)
• ✅ AI-Powered Fuzzing (LLM-generated payloads per tool schema)
• ✅ Custom timeouts for slow targets (--timeout)

Contributing

Contributions welcome! See CONTRIBUTING.md for details on how to set up your environment and add new scanners.

Disclaimer

This tool is intended for authorized security testing only. Only scan MCP servers you own or have explicit permission to test. The authors are not responsible for misuse.

License

MIT

---

Built by Manthan — because your AI agents deserve a pentest too.