Security scanner and protocol fuzzer for MCP (Model Context Protocol) servers. Found and reported vulnerabilities in official Anthropic and GitHub MCP implementations.
Project description
mcpsec
Security scanner and protocol fuzzer for MCP servers
Why mcpsec?
MCP (Model Context Protocol) connects AI agents to external tools. Claude Desktop, Cursor, VS Code Copilot, and every major AI IDE uses it. Security is often an afterthought.
Most MCP security tools do static analysis. mcpsec connects to live servers and proves exploitation.
Installation
pip install mcpsec
For AI-powered features:
pip install mcpsec[ai]
Quick Start
Runtime Scanning
# Scan via stdio
mcpsec scan --stdio "npx @modelcontextprotocol/server-filesystem /tmp"
# Scan via HTTP with auth
mcpsec scan --http http://localhost:8080/mcp -H "Authorization: Bearer TOKEN"
# Enumerate attack surface
mcpsec info --stdio "python my_server.py"
Protocol Fuzzing
# Standard fuzzing (~200 cases)
mcpsec fuzz --stdio "python my_server.py"
# High intensity (~800 cases)
mcpsec fuzz --stdio "python my_server.py" --intensity high
# AI-powered payload generation
mcpsec fuzz --stdio "python my_server.py" --ai
Static Analysis
# Local source
mcpsec audit --path ./my-mcp-server
# GitHub repository
mcpsec audit --github https://github.com/user/mcp-server
# With AI validation
mcpsec audit --github https://github.com/user/mcp-server --ai
Advanced
# SQL Injection scanner with DB fingerprinting
mcpsec sql --stdio "npx @benborla29/mcp-server-mysql" --fingerprint
# Dangerous tool chain detection
mcpsec chains --stdio "npx @example/complex-server"
# Interactive exploitation REPL
mcpsec exploit --stdio "npx vulnerable-server"
# Rogue server for client-side testing
mcpsec rogue-server --port 9999 --attack all
Scanners
| Scanner | Description |
|---|---|
prompt-injection |
Hidden instructions in tool descriptions |
command-injection |
OS command injection with 138 payloads |
path-traversal |
Directory traversal with 104 payloads |
ssrf |
Server-Side Request Forgery with 81 payloads |
sql |
SQL Injection (Error, Time, Boolean, Stacked) |
auth-audit |
Missing authentication, dangerous tool combos |
description-prompt-injection |
LLM manipulation via descriptions |
resource-ssrf |
SSRF via MCP resource URIs |
capability-escalation |
Undeclared capability abuse |
chains |
Dangerous tool combination detection |
Fuzz Generators
22 generators organized by intensity level:
Low (~65 cases): malformed_json, protocol_violation, type_confusion, boundary_testing, unicode_attacks
Medium (~200 cases): + session_attacks, encoding_attacks, integer_boundaries
High (~800 cases): + injection_payloads, method_mutations, param_mutations, timing_attacks, header_mutations, json_edge_cases, protocol_state, protocol_state_machine, id_confusion, concurrency_attacks, regex_dos, deserialization
Insane (~1500+ cases): + resource_exhaustion, memory_exhaustion_v2
Static Analysis (149 Semgrep Rules)
24 rule files covering:
- Injection: Command injection (JS, Go, Rust, .NET, Python, Python async), SQL injection (all drivers + ORM bypass), path traversal
- Network: SSRF patterns, resource URI issues
- Secrets: AWS keys, API tokens, JWT secrets, connection strings, private keys
- MCP-Specific: Dangerous tool names, empty schemas, input reflection, missing auth
- Code Quality: Security TODOs, empty catches, TLS disabled, CORS *, ReDoS patterns
How It Works
┌─────────┐ MCP Protocol ┌────────────┐
│ mcpsec │ ◄──── JSON-RPC ────► │ Target │
│ │ (stdio / HTTP) │ Server │
└────┬────┘ └────────────┘
│
├── Connect & enumerate attack surface
├── Run 10+ security scanners
├── Generate 800+ fuzz cases
├── Execute AI-powered payload mutations
└── Report findings with PoC evidence
Configuration
AI Provider Setup
mcpsec setup
Supports: OpenAI, Anthropic, Google, Groq, DeepSeek, Ollama
Output Formats
# JSON
mcpsec scan --stdio "server" --output results.json
# SARIF 2.1.0 (GitHub/GitLab/Azure DevOps CI/CD)
mcpsec fuzz --stdio "server" --output results.sarif
Changelog
v2.4.0 (2026-02-28)
- SAST Rules Expansion: 87 new Semgrep rules → 149 total across 24 rule files
- Broad patterns for command injection, path traversal, SQL injection, SSRF, deserialization
- Secrets detection: AWS keys, AI API keys, GitHub/Slack tokens, JWT secrets
- MCP-specific rules: dangerous tool names, empty schemas, error leaks, input reflection
- Code smells: security TODOs, empty catches, TLS disabled, CORS *, ReDoS patterns
v2.3.0 (2026-02-28)
- Scanner Nuclear Expansion: Command injection (138), path traversal (104), SSRF (81) payloads
- Encoding bypasses, protocol smuggling, shell-specific evasion
- 5 new fuzz generators: integer boundaries, concurrency, memory exhaustion, regex DoS, deserialization
- SDK-specific Semgrep rules for Go, Rust, Python async, .NET
v2.2.0 (2026-02-28)
- SARIF 2.1.0 Output for CI/CD integration
- CWE mapping and severity scoring
- Audit report export with
--outputand--formatflags
v2.1.0 (2026-02-27)
- AI Exploitation Assistant:
select,run,next,verdict,autoREPL commands - Expert controls:
edit,aggressive,hintfor complex bypasses - AI learns from manual
callcommands and response history
v2.0.3 (2026-02-26)
- MCP Repeater: Interactive REPL for manual/semi-auto finding validation
- AI payload engine with context-aware recommendations
- Exploit playbooks for SQLi, RCE, SSRF, path traversal
- Automated evidence capture and PoC generation
Earlier versions
v2.0.2 (2026-02-26)
- Tool chain analysis for dangerous combinations
- Cross-platform Windows support improvements
v2.0.1 (2026-02-25)
- Advanced SQL scanner with modular detection
- DB fingerprinting for MySQL, Postgres, MSSQL, SQLite
v2.0.0 (2026-02-24)
- Fuzzing engine v2 with chained state-machine exploration
- AI-powered validation of security findings
Disclaimer
For authorized security testing only. Only scan servers you own or have explicit permission to test.
License
Built by Manthan Ghasadiya
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcpsec-2.4.1.tar.gz.
File metadata
- Download URL: mcpsec-2.4.1.tar.gz
- Upload date:
- Size: 1.8 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d8d1fd55201b11ad85e8f9ffdbdc40a0093890c22085ef60176b2088970e0ac6
|
|
| MD5 |
e278fd0708f00ef29b0f97d8df2f5fe6
|
|
| BLAKE2b-256 |
08c165d8b55a2ada0c1501b3090be1b5bf741815d61088e8b59261b810b37b9c
|
File details
Details for the file mcpsec-2.4.1-py3-none-any.whl.
File metadata
- Download URL: mcpsec-2.4.1-py3-none-any.whl
- Upload date:
- Size: 245.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c0785f0f2ac9bf9fab410e5d9dd37ebe91e0bf5658719a8bbc9ed27955cd9e58
|
|
| MD5 |
fcc82d7532bfcdb037ec05b20a2b74f6
|
|
| BLAKE2b-256 |
78bae50d3deeedbd252ece4d09b2ce5f776b6228a34a5458ffccc8971f2909e3
|
