Step 1
Install in your client
Config is the same across clients — only the file and path differ.
CD
Supported in Claude Desktopsse, http · Node 18+
Paste into ~/Library/Application Support/Claude/claude_desktop_config.json
{
"mcpServers": {
"r0idamcp": {
"url": "http://192.168.1.2:26868/sse",
"type": "sse"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Embed in your READMEAbout badges →
[](https://mcppedia.org/s/r0idamcp)
Read me
What R0idamcp does
- 功能集大成:集成市面已有项目的大部分功能,还会继续维护根据issue添加功能 - 依赖极少:只需要一个最新的FastMCP2.0,不需要复杂的uv及特定版本的python - 兼容性强:支持所有MCP功能的大模型助手,无需科学上网配置复杂的依赖和环境,成功率极高 - 代码极简:市面项目大量采用嵌套代码生成工具,可读性极差。本项目浓缩到单文件,mcp.tool声明与实现一一对应,可读性极强,伸缩性和扩展性极佳
Test This Server
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'fastmcp' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Loading README…
Scored, not listed
Why this score
Five weighted categories — click any category to see the underlying evidence.
Score breakdown
48/100across 5 weighted dimensions
0255075100
23
14
10
−52
Security
Maintenance
Efficiency
Documentation
Compatibility
Categoriesclick a row to see evidence
Security
OSV.dev8 fixed
CVE-2026-32871low · fixedCVSS 3.1
FastMCP OpenAPI Provider has an SSRF & Path Traversal Vulnerability
## Technical Description The `OpenAPIProvider` in FastMCP exposes internal APIs to MCP clients by parsing OpenAPI specifications. The `RequestDirector` class is responsible for constructing HTTP requests to the backend service. A critical vulnerability exists in the `_build_url()` method. When an OpenAPI operation defines path parameters (e.g., `/api/v1/users/{user_id}`), the system directly substitutes parameter values into the URL template string **without URL-encoding**. Subsequently, `urll
CVE-2026-27124medium · fixedCVSS 4
FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities
## Summary While testing the *GitHubProvider* OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHub. In combination with GitHub’s behavior of skipping the consent page for previously authorized clients, this introduces a Confused Deputy vulnerability. ## Technical Details An adversary can initi
CVE-2025-64340low · fixedCVSS 3.1
FastMCP has a Command Injection vulnerability - Gemini CLI
Server names containing shell metacharacters (e.g., `&`) can cause command injection on Windows when passed to `fastmcp install claude-code` or `fastmcp install gemini-cli`. These install paths use `subprocess.run()` with a list argument, but on Windows the target CLIs often resolve to `.cmd` wrappers that are executed through `cmd.exe`, which interprets metacharacters in the flattened command string. PoC: ```python from fastmcp import FastMCP mcp = FastMCP(name="test&calc") @mcp.tool def rol
CVE-2025-69196medium · fixedCVSS 4
FastMCP OAuth Proxy token reuse across MCP servers
While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the `resource` parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the `base_url` passed to the `OAuthProxy` during initialization. **Affected File:** *https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/oauth_proxy.py#L828* **Affected Code:** ```python self._jwt_issuer:
GHSA-rcfx-77hg-w2wvinfo · fixed
FastMCP updated to MCP 1.23+ due to CVE-2025-66416
There was a recent CVE report on MCP: https://nvd.nist.gov/vuln/detail/CVE-2025-66416. FastMCP does not use any of the affected components of the MCP SDK directly. However, FastMCP versions prior to 2.14.0 did allow MCP SDK versions <1.23 that were vulnerable to CVE-2025-66416. Users should upgrade to FastMCP 2.14.0 or later.
Community
Reviews
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
How easy was setup?Did it work reliably?How was the documentation?
Sign in to write a review.
Frequently Asked Questions
- Is R0idamcp safe to use?
- R0idamcp has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
- How do I install R0idamcp?
- R0idamcp supports copy-paste install configs on its MCPpedia page for Claude Desktop, Cursor, and Claude Code. Scroll to the Quick Install section and select your client.
- What AI clients work with R0idamcp?
- R0idamcp is compatible with claude-desktop, cursor, claude-code. It uses sse and http transport.
- Is R0idamcp actively maintained?
- R0idamcp is not actively maintained — last commit was 380 days ago. It has 78 GitHub stars.
Related
Similar servers
Others in security / developer-tools
XcodeBuildMCP97A Model Context Protocol (MCP) server and CLI that provides tools for agent use when working on iOS and macOS projects.
5.8k 2
X
XcodeBuildMCP97XcodeBuildMCP provides tools for Xcode project management, simulator management, and app utilities.
5.8k 1
Figma Console Mcp96MCP server for accessing Figma plugin console logs and screenshots via Cloudflare Workers or local mode
1.7k 2
G
Mcp Gitlab96MCP server for using the GitLab API
1.6k 12
MCP Security Weekly
Get CVE alerts and security updates for R0idamcp and similar servers.
Community
Discussion
Start a conversation
Ask a question, share a tip, or report an issue.
Has anyone used this with Cursor?How do you handle auth?Any alternatives?
Sign in to join the discussion.