Is HopperPyMCP safe to use?

HopperPyMCP has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install HopperPyMCP?

HopperPyMCP supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with HopperPyMCP?

HopperPyMCP is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is HopperPyMCP actively maintained?

HopperPyMCP is less actively maintained — last commit was 268 days ago. It has 67 GitHub stars.

HopperPyMCP

Name: HopperPyMCP
Author: dflatline

fastmcp · by dflatline

A Python-Based MCP Server for Hopper Disassembler

67 0 tools GitHub PyPI

No known CVEs

MIT license

Stale

Last commit 268d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Security Developer Tools

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "hopperpymcp": {
      "args": [
        "fastmcp"
      ],
      "command": "uvx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/hopperpymcp)](https://mcppedia.org/s/hopperpymcp)

Read me

What HopperPyMCP does

A FastMCP server plugin for the Hopper disassembler that provides powerful analysis tools through the Model Context Protocol (MCP). This plugin allows you to analyze binary files, disassemble procedures, manage documents, and more through AI assistants.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

## Technical Description The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urll

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

## Summary While testing the *GitHubProvider* OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. ## Technical Details An adversary can initi

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string. PoC: ```python from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def rol

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the `resource` parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the `base_url` passed to the `OAuthProxy` during initialization. **Affected File:** *https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/oauth_proxy.py#L828* **Affected Code:** ```python self._jwt_issuer:

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

Affected: >= 0Fixed in 2.14.0source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is HopperPyMCP safe to use?: HopperPyMCP has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install HopperPyMCP?: HopperPyMCP supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with HopperPyMCP?: HopperPyMCP is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is HopperPyMCP actively maintained?: HopperPyMCP is less actively maintained — last commit was 268 days ago. It has 67 GitHub stars.

Similar servers

Others in security / developer-tools

View all →

XcodeBuildMCP97

A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.

5.8k 2

XcodeBuildMCP97

XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.

5.8k 1

Figma Console Mcp96

MCP server for accessing Figma plugin console logs and screenshots via Cloudflare Workers or local mode

1.7k 2

Mcp Gitlab96

MCP server for using the GitLab API

1.6k 12

MCP Security Weekly

Get CVE alerts and security updates for HopperPyMCP and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security Developer Tools

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "hopperpymcp": {
      "args": [
        "fastmcp"
      ],
      "command": "uvx"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/hopperpymcp)](https://mcppedia.org/s/hopperpymcp)

Read me

What HopperPyMCP does

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

HopperPyMCP - FastMCP Server for Hopper Disassembler

Features

🔍 Binary Analysis: Analyze segments, procedures, and data structures
🛠️ Disassembly & Decompilation: Get detailed assembly and pseudo-code output
📊 Call Graph Generation: Visualize function relationships and program flow
🔗 Reference Analysis: Track memory references and cross-references
📝 Annotation Tools: Add names, comments, and type information
🗂️ Document Management: Handle multiple executable files
🔍 String Search: Advanced regex-based string searching

Quick Installation

The installation process automatically detects your Python environment (conda, uv, venv, or system Python) and configures everything for you:

# Simple one-command installation
python install.py

That's it! The script will:

✅ Detect your Python environment automatically
✅ Install required dependencies (fastmcp)
✅ Configure the script with correct Python paths
✅ Install to the appropriate Hopper Scripts directory

Supported Environments

Conda environments (including miniconda/anaconda)
UV virtual environments
Python venv/virtualenv
System Python installations
macOS and Linux platforms

If you use an environment like conda, uv, or virtualenv, run the install script from within a new environment, since dependencies will be installed by install.py.

Manual Installation Options

Dry Run (Preview Changes)

# See what would be installed without making changes
python install.py --dry-run

Force Installation

# Overwrite existing installation without prompting
python install.py --force

Uninstallation

Remove the plugin cleanly:

# Remove the installation
python uninstall.py

# Preview what would be removed
python uninstall.py --dry-run

# Remove without confirmation
python uninstall.py --confirm

Usage in Hopper

Once installed, the FastMCP server will be available as a script in Hopper.

Starting the Server

After running the script in Hopper, you'll need to launch the MCP server through the Python prompt:

First Time Setup - Cache Strings (Recommended)

Due to slow Hopper string APIs, the plugin creates optimized string caches for better performance. This process takes about 5-10 minutes per document and saves caches alongside your Hopper document saves.

In the Hopper Python prompt, paste:
```
cache_strings()
```
Wait for caching to complete, then launch the server:
```
launch_server()
```
Quick Start (Skip Caching)

To start immediately without caching (slower string searches):
```
launch_server()
```
Subsequent Uses

If you've already cached strings for your documents:
```
launch_server()
```

The server will run on http://localhost:42069/mcp/ and provide the following tools:

Document Management

get_all_documents() - Get information about all currently opened documents (Hopper-analyzed binaries)
get_current_document() - Get information about the current document with its doc_id
set_current_document(doc_id) - Set the current document by doc_id
rebase_document(new_base_address_hex) - Rebase the current document to a new base address

Core Analysis Tools

list_all_segments() - List all segments in the current document with basic information
get_address_info(address_or_name_list) - Get comprehensive information about multiple addresses

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

Affected: >= 0Fixed in 2.14.0source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is HopperPyMCP safe to use?: HopperPyMCP has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install HopperPyMCP?: HopperPyMCP supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with HopperPyMCP?: HopperPyMCP is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is HopperPyMCP actively maintained?: HopperPyMCP is less actively maintained — last commit was 268 days ago. It has 67 GitHub stars.