Security scanner and protocol fuzzer for MCP (Model Context Protocol) servers. Found and reported vulnerabilities in official Anthropic and GitHub MCP implementations.
Project description
mcpsec
Security scanner and protocol fuzzer for MCP servers.
Most MCP security tools do static analysis. mcpsec connects to live servers and proves exploitation.
Installation • Usage • Scanners • Fuzzing
Why mcpsec?
MCP is the protocol connecting AI agents (Claude, Cursor, VS Code) to external tools. Every major AI company uses it. Its security is often overlooked.
- 82% of MCP implementations have path traversal vulnerabilities
- 67% are vulnerable to code injection
- ~2,000 internet-exposed MCP servers found with zero authentication
- Anthropic's own Git MCP server had 3 critical RCE vulnerabilities
mcpsec has been used to discover and report 12+ vulnerabilities across Anthropic and GitHub MCP implementations, affecting Python, TypeScript, and Go SDK ecosystems.
Installation
pip install mcpsec
For AI-powered features:
pip install mcpsec[ai]
Usage
Runtime Scanning
# Scan via stdio
mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"
# Scan via HTTP with auth
mcpsec scan --http http://localhost:8080/mcp -H "Authorization: Bearer TOKEN"
# Enumerate attack surface
mcpsec info --stdio "python my_server.py"
# Advanced SQL Injection Discovery
mcpsec sql --stdio "npx @benborla29/mcp-server-mysql" --fingerprint
# Attack Chain Analysis (Priority 0)
mcpsec chains --stdio "npx @example/complex-server"
Protocol Fuzzing
# Standard fuzzing (150+ cases)
mcpsec fuzz --stdio "python my_server.py"
# High intensity (500+ cases)
mcpsec fuzz --stdio "python my_server.py" --intensity high
# Target specific attack class
mcpsec fuzz --stdio "python my_server.py" -g protocol_state_machine
mcpsec fuzz --stdio "python my_server.py" -g id_confusion
# AI-powered payload generation
mcpsec fuzz --stdio "python my_server.py" --ai
Static Analysis
# Local source
mcpsec audit --path ./my-mcp-server
# GitHub repository
mcpsec audit --github https://github.com/user/mcp-server
# With AI validation
mcpsec audit --github https://github.com/user/mcp-server --ai
Rogue Server (Client Testing)
# Test MCP clients for vulnerabilities
mcpsec rogue-server --port 9999 --attack all
Scanners
| Scanner | Description |
|---|---|
prompt-injection |
Hidden instructions in tool descriptions |
command-injection |
OS command injection with proof of exploitation |
path-traversal |
File traversal with proof of exploitation |
ssrf |
Server-Side Request Forgery to internal services |
auth-audit |
Missing auth, dangerous tool combinations |
description-prompt-injection |
LLM manipulation via descriptions |
resource-ssrf |
SSRF via MCP resource URIs |
capability-escalation |
Undeclared capability abuse |
sql |
Modular SQL Injection (Error, Time, Boolean, Stacked) |
chains |
Tool Chain Analysis (Dangerous combinations detection) |
sql-rce |
SQL Injection to RCE/File access (Legacy) |
Fuzz Generators
| Generator | Description |
|---|---|
malformed_json |
Invalid JSON structures |
protocol_violation |
JSON-RPC spec violations |
type_confusion |
Type mismatch attacks |
unicode_attacks |
Encoding edge cases |
injection_payloads |
SQLi, XSS, command injection |
protocol_state_machine |
MCP state violations |
id_confusion |
JSON-RPC ID edge cases |
Semgrep Rules
49 MCP-specific rules:
- Command injection (
exec,spawn,child_process) - SQL injection (raw queries, ORM bypass)
- Path traversal (
path.joinwith unsanitized input) - Description injection (dynamic tool descriptions)
- Resource URI issues (SSRF vectors)
- Protocol handler vulnerabilities
Configuration
AI Provider Setup
mcpsec setup
Supports: OpenAI, Anthropic, Google, Groq, DeepSeek, Ollama
Output Formats
# JSON
mcpsec scan --stdio "server" --output results.json
# SARIF (CI/CD)
mcpsec fuzz --stdio "server" --output results.sarif
How It Works
┌─────────┐ MCP Protocol ┌────────────┐
│ mcpsec │ ◄──── JSON-RPC ────► │ Target │
│ │ (stdio / HTTP) │ Server │
└────┬────┘ └────────────┘
│
├── Connect & enumerate attack surface
├── Run static scanners
├── Generate dynamic payloads
├── Execute fuzzing campaigns
└── Report findings with evidence
Disclaimer
For authorized security testing only. Only scan servers you own or have permission to test.
Changelog
v2.3.0 (2026-02-28)
- Scanner Nuclear Expansion: CmdInj 138, PathTrav 104, SSRF 81 payloads — encoding bypasses, protocol smuggling, shell-specific evasion.
- Confirmation-Based Detection: Regex matching with CONFIRMED/LIKELY confidence scoring.
- 5 New Fuzzer Generators: Integer boundaries, concurrency attacks, memory exhaustion, regex DoS, deserialization (187+ new test cases).
- SDK Audit Rules: New Semgrep rules for Go, Rust, Python async, and .NET MCP servers.
v2.2.0 (2026-02-28)
- SARIF 2.1.0 Output:
--format sarifflag onscan,fuzz, andauditfor GitHub/GitLab/Azure DevOps CI/CD integration. - CWE Mapping & Severity Scores: Automatic CWE classification and GitHub-compatible security-severity scoring.
- Audit Report Export: New
--outputand--formatflags formcpsec audit. - Bugfixes: Fixed exploit
runparameter resolution and AI client import.
v2.1.0 (2026-02-27)
- AI Exploitation Assistant: New REPL commands (
select,run,next,verdict,auto) for interactive AI-led testing. - Expert Controls: Added
edit,aggressive, andhintto guide AI toward complex bypasses. - Feedback Loop: AI now learns from manual
callcommands and response history. - Robustness: Fixed
Findingmodel schema and improved--from-scanreport ingestion.
v2.0.3 (2026-02-26)
- Interactive Exploitation (MCP Repeater): New REPL for manual/semi-auto validation of findings.
- AI Payload Engine: Context-aware payload recommendations integrated into playbooks.
- Exploit Playbooks: Attack sequences for SQLi, RCE, SSRF, and more.
- Evidence Capture: Automated logging and PoC script generation.
v2.0.2 (2026-02-26)
- Tool Chain Analysis: Detect dangerous tool combinations (read+exec, sql+exfil).
- Cross-Platform Priority: Robust Windows support for
npx, modern path resolution. - Improved UI: Refined terminal output and error reporting.
v2.0.1 (2026-02-25)
- Advanced SQL Scanner: Modular architecture with error/time/boolean detection.
- DB Fingerprinting: Automated identification of MySQL, Postgres, MSSQL, and SQLite.
- Enhanced Heuristics: Better tool and parameter surface discovery.
v2.0.0 (2026-02-24)
- Fuzzing Engine v2: Chained fuzzer for deep state-machine exploration.
- AI-Powered Validation: LLM verification of potential security findings.
License
Built by Manthan Ghasadiya
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
mcpsec-2.3.0.tar.gz
(195.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
mcpsec-2.3.0-py3-none-any.whl
(233.7 kB
view details)
File details
Details for the file mcpsec-2.3.0.tar.gz.
File metadata
- Download URL: mcpsec-2.3.0.tar.gz
- Upload date:
- Size: 195.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1c8022a46eb18de13ebd3ccbcbea20869315731297d506f5b9db86496a7a90f5
|
|
| MD5 |
61ba99f934169c5ad6fb784aed672b2b
|
|
| BLAKE2b-256 |
4401a46789dac3e3e2d3c8d0bbcb2a43ebbb995aee480a90eca47475a7ce3694
|
File details
Details for the file mcpsec-2.3.0-py3-none-any.whl.
File metadata
- Download URL: mcpsec-2.3.0-py3-none-any.whl
- Upload date:
- Size: 233.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4f07cd7b32d643b47625bac00a721315de0d0810093824f7d48d1ff90f3dbd13
|
|
| MD5 |
95e9eff7400e7e82af0bc266e7b791ee
|
|
| BLAKE2b-256 |
28860c7701388ec75961c60c295fdb104a5fea03e1c87958513e7e6fe8a08534
|
