Is Mcp For Security Python safe to use?

Mcp For Security Python has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Mcp For Security Python?

Mcp For Security Python supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.

What AI clients work with Mcp For Security Python?

Mcp For Security Python is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Mcp For Security Python actively maintained?

Mcp For Security Python is less actively maintained — last commit was 342 days ago. It has 40 GitHub stars.

Mcp For Security Python

Name: Mcp For Security Python
Author: f1tz

fastmcp · by f1tz

一个为主流渗透测试工具打造的MCP服务器集合。 | A collection of Model Context Protocol servers for popular security tools like SQLMap, FFUF, NMAP, Masscan and more. Integrate security testing and penetration testing into AI workflows.

40 0 tools GitHub PyPI

No known CVEs

MIT license

Stale

Last commit 342d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "tool-name-mcp": {
      "args": [
        "/path/to/tool-mcp/server.py",
        "tool-binary"
      ],
      "command": "python"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-for-security-python)](https://mcppedia.org/s/mcp-for-security-python)

Read me

What Mcp For Security Python does

This is a Python refactored version of the security tools MCP (Model Context Protocol) server collection, implemented using the FastMCP library.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

## Technical Description The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urll

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

## Summary While testing the *GitHubProvider* OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. ## Technical Details An adversary can initi

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string. PoC: ```python from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def rol

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the `resource` parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the `base_url` passed to the `OAuthProxy` during initialization. **Affected File:** *https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/oauth_proxy.py#L828* **Affected Code:** ```python self._jwt_issuer:

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.

Affected: >= 0Fixed in 2.14.0source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp For Security Python safe to use?: Mcp For Security Python has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp For Security Python?: Mcp For Security Python supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Mcp For Security Python?: Mcp For Security Python is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp For Security Python actively maintained?: Mcp For Security Python is less actively maintained — last commit was 342 days ago. It has 40 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for Mcp For Security Python and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Edit this pageView history

Security

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "tool-name-mcp": {
      "args": [
        "/path/to/tool-mcp/server.py",
        "tool-binary"
      ],
      "command": "python"
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/mcp-for-security-python)](https://mcppedia.org/s/mcp-for-security-python)

Read me

What Mcp For Security Python does

This is a Python refactored version of the security tools MCP (Model Context Protocol) server collection, implemented using the FastMCP library.

Test This Server

Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.

uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"

After testing, let us know if it worked:

README

中文

MCP for Security - Python Version

This is a Python refactored version of the security tools MCP (Model Context Protocol) server collection, implemented using the FastMCP library.

🌟 Project Origin & Declaration

Acknowledgment to Original Author

This project is a complete Python refactoring based on cyproxio/mcp-for-security JavaScript/TypeScript version. We thank cyproxio for open-sourcing this excellent security tools MCP server collection, which provides important contributions to the standardization of cybersecurity tools.

Refactoring Notes

⚠️ Important Declaration:

This project was completely refactored by Claude 4 AI, converting from JavaScript/TypeScript to Python
Has NOT been verified through manual real-machine testing, may contain runtime errors or functional defects
Code logic is based on translation and adaptation from the original version, but may contain understanding bias
Please analyze the code yourself, use cautiously in production environments
If issues are found, welcome to submit PRs or Issues to help improve the project

🎯 Project Goals

Complete refactoring of 20 JavaScript version security tool MCP servers to Python version, maintaining:

✅ 100% API compatibility (theoretically)
✅ Same functionality and parameters
✅ Independent operation with no interdependencies
✅ Detailed Chinese documentation

📁 Project Structure

mcp-for-security-python/
├── README.md                    # This file
├── sqlmap-mcp/                  # SQL injection testing tool
├── assetfinder-mcp/             # Subdomain discovery tool
├── waybackurls-mcp/             # Historical URL discovery tool
├── crtsh-mcp/                   # SSL certificate log query tool
├── shuffledns-mcp/              # DNS brute force tool
├── httpx-mcp/                   # HTTP service detection tool
├── ffuf-mcp/                    # Web fuzzing tool
├── nuclei-mcp/                  # Vulnerability scanning tool
├── nmap-mcp/                    # Network scanning tool
├── masscan-mcp/                 # High-speed port scanning tool
├── alterx-mcp/                  # Domain mutation generation tool
├── arjun-mcp/                   # HTTP parameter discovery tool
├── katana-mcp/                  # Web crawler tool
├── sslscan-mcp/                 # SSL/TLS security scanning tool
├── http-headers-security-mcp/   # HTTP header security check tool
├── mobsf-mcp/                   # Mobile app security analysis tool
├── scoutsuite-mcp/              # Cloud security audit tool
├── smuggler-mcp/                # HTTP request smuggling vulnerability detection
├── amass-mcp/                   # Asset discovery and reconnaissance tool
└── wpsscan-mcp/                 # WordPress security scanning tool

🚀 MCP Server List

✅ Completed (20/20 - 100%)

Basic Tools

assetfinder-mcp - Subdomain discovery tool
- Function: Quickly discover subdomains of target domains
- Feature: Automatic ANSI color code cleaning
waybackurls-mcp - Historical URL discovery tool
- Function: Retrieve historical URLs from Wayback Machine
- Feature: Support include/exclude subdomain options
crtsh-mcp - SSL certificate log query tool
- Function: Discover subdomains from certificate transparency logs
- Feature: API calls, no local tools required
shuffledns-mcp - DNS brute force tool
- Function: Efficient DNS resolution and brute forcing
- Feature: Integrated massdns, supports multiple modes
alterx-mcp - Domain mutation generation tool
- Function: Generate domain mutations for subdomain discovery
- Feature: Support multiple mutation modes and custom templates

Scanning Tools

httpx-mcp - HTTP service detection tool
- Function: Fast HTTP/HTTPS service discovery
- Feature: Rich detection options and concurrent processing
nmap-mcp - Network scanning too

... View full README on GitHub

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

50/100across 5 weighted dimensions

How we score →

0255075100

−50

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

8 fixed

CVE-2026-32871low · fixedCVSS 3.1

FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability

Affected: >= 0Fixed in 3.2.0source →

CVE-2026-27124medium · fixedCVSS 4

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-64340low · fixedCVSS 3.1

FastMCP has a Command Injection vulnerability - Gemini CLI

Affected: >= 0Fixed in 3.2.0source →

CVE-2025-69196medium · fixedCVSS 4

FastMCP OAuth Proxy token reuse across MCP servers

Affected: >= 0Fixed in 2.14.2source →

GHSA-rcfx-77hg-w2wvinfo · fixed

FastMCP updated to MCP 1.23+ due to CVE-2025-66416

Affected: >= 0Fixed in 2.14.0source →

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Mcp For Security Python safe to use?: Mcp For Security Python has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Mcp For Security Python?: Mcp For Security Python supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
What AI clients work with Mcp For Security Python?: Mcp For Security Python is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Mcp For Security Python actively maintained?: Mcp For Security Python is less actively maintained — last commit was 342 days ago. It has 40 GitHub stars.

Similar servers

Others in security

View all →

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

io.github.jasonxkensei/xproof92

Proof primitive for AI agents on MultiversX. Anchor file hashes on-chain as verifiable proofs.

1 1

Mcpki Server92

mcpki-server is the backend infrastructure for https://www.mcpki.org, enabling secure public key management and autonomous certificate handling for large language models (LLMs).

MCP Security Weekly

Get CVE alerts and security updates for Mcp For Security Python and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?