Vulnerable Mcp Servers Lab

Name: Vulnerable Mcp Servers Lab
Author: appsecco

by appsecco

A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.

259 0 tools GitHub

No known CVEs

MIT license

Maintained

Last commit 163d ago

Works with most clients

Transport: stdio, sse, http

0 tools

Grade F

Edit this pageView history

Security Education

Step 1

Install in your client

Config is the same across clients — only the file and path differ.

Supported in Claude Desktopstdio, sse, http · Node 18+

Paste into ~/Library/Application Support/Claude/claude_desktop_config.json

{
  "mcpServers": {
    "vulnerable-mcp-servers-lab": {
      "command": "<see-readme>",
      "args": []
    }
  }
}

Are you the author?

Add this badge to your README to show your security score and help users find safe servers.

Embed in your READMEAbout badges →

[![MCPpedia Score](https://mcppedia.org/api/badge/vulnerable-mcp-servers-lab)](https://mcppedia.org/s/vulnerable-mcp-servers-lab)

Read me

What Vulnerable Mcp Servers Lab does

This repository contains intentionally vulnerable implementations of Model Context Protocol (MCP) servers (both local and remote). Each server lives in its own folder and includes a dedicated README.md with full details on what it does, how to run it, and how to demonstrate/attack the vulnerability.

Test This Server

No automated test available for this server. Check the GitHub README for setup instructions.

Loading README…

Scored, not listed

Why this score

Five weighted categories — click any category to see the underlying evidence.

Score breakdown

32/100across 5 weighted dimensions

How we score →

0255075100

−68

Security

Maintenance

Efficiency

Documentation

Compatibility

Categoriesclick a row to see evidence

Security

OSV.dev

No known CVEs.

No package registry to scan.

Community

Reviews

Be the first to review

Have you used this server?

Share your experience — it helps other developers decide.

How easy was setup?Did it work reliably?How was the documentation?

Frequently Asked Questions

Is Vulnerable Mcp Servers Lab safe to use?: Vulnerable Mcp Servers Lab has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.
How do I install Vulnerable Mcp Servers Lab?: Vulnerable Mcp Servers Lab can be installed by cloning its GitHub repository and following the setup instructions in the README.
What AI clients work with Vulnerable Mcp Servers Lab?: Vulnerable Mcp Servers Lab is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.
Is Vulnerable Mcp Servers Lab actively maintained?: Vulnerable Mcp Servers Lab is less actively maintained — last commit was 163 days ago. It has 259 GitHub stars.

Similar servers

Others in security / education

View all →

Arxiv Mcp Server94

A Model Context Protocol server for searching and analyzing arXiv papers

2.8k 4

Evil Mcp Server93

An evil MCP server used for redteam testing

30 1

Notebooklm Mcp93

MCP server for NotebookLM - Let your AI agents (Claude Code, Codex) research documentation directly with grounded, citation-backed answers from Gemini. Persistent auth, library management, cross-client sharing. Zero hallucinations, just your knowledge base.

2.6k 4

Ida Pro Mcp92

AI-powered reverse engineering assistant that bridges IDA Pro with language models through MCP.

9.0k 3

MCP Security Weekly

Get CVE alerts and security updates for Vulnerable Mcp Servers Lab and similar servers.

Community

Discussion

Start a conversation

Ask a question, share a tip, or report an issue.

Has anyone used this with Cursor?How do you handle auth?Any alternatives?

Vulnerable MCP Servers Lab

This repository contains intentionally vulnerable implementations of Model Context Protocol (MCP) servers (both local and remote). Each server lives in its own folder and includes a dedicated README.md with full details on what it does, how to run it, and how to demonstrate/attack the vulnerability.

Do not run any of this outside a controlled lab environment.

Safety / lab guidance

Use a disposable VM/container and avoid using real secrets or personal data.

Prefer running on an isolated network; several servers make outbound network calls.

Treat all tool output and retrieved content as untrusted data.

If you expose any server over HTTP, assume it may be reachable/abused unless you add proper controls.

MCP servers in this repo

Filesystem Workspace Actions (path traversal + code exec): Tools for reading/writing/listing a “workspace” plus Python execution; vulnerable to naive path joining and unsandboxed code execution.

README: vulnerable-mcp-server-filesystem-workspace-actions/README.md

Indirect Prompt Injection (local stdio): Document retrieval/search that returns documents verbatim, including embedded hidden instructions.

README: vulnerable-mcp-server-indirect-prompt-injection/README.md

Indirect Prompt Injection (remote MCP over HTTP+SSE): Network-accessible MCP server (HTTP + SSE) returning untrusted documents verbatim; models risk of connecting to untrusted remote MCP endpoints.

README: vulnerable-mcp-server-indirect-prompt-injection-remote-mcp/README.md

Malicious Code Execution (eval-based RCE): “Quote of the day” tool with an unsafe formatting feature that eval()s attacker-controlled JavaScript.

README: vulnerable-mcp-server-malicious-code-exec/README.md

Malicious Tools (instruction injection / fabricated tool output): Appears to return status data, but injects misleading instructions and can fabricate plausible-looking incidents.

README: vulnerable-mcp-server-malicious-tools/README.md

Namespace Typosquatting (twittter-mcp): Demonstrates supply-chain/trust issues via a lookalike server name intended to be mistaken for a legitimate package.

README: vulnerable-mcp-server-namespace-typosquatting/README.md

Outdated Packages (supply chain risk): Read-only system/filesystem inspection tools whose primary purpose is to demonstrate risk from outdated/deprecated/vulnerable dependencies.

README: vulnerable-mcp-server-outdated-pacakges/README.md

Secrets + PII Exposure: “Utilities” tools (IP/weather/news) but with embedded sensitive values in source code and leakage via logs.

README: vulnerable-mcp-server-secrets-pii/README.md

Wikipedia (remote, Streamable HTTP): Wikipedia search/retrieval over HTTP; returns untrusted public content without sanitization or instruction/data separation (remote-content prompt injection risk).

README: [`vulnerable-mcp-server-wikip

Frequently Asked Questions

Is Vulnerable Mcp Servers Lab safe to use?

Vulnerable Mcp Servers Lab has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments. Licensed under MIT.

How do I install Vulnerable Mcp Servers Lab?

Vulnerable Mcp Servers Lab can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with Vulnerable Mcp Servers Lab?

Vulnerable Mcp Servers Lab is compatible with claude-desktop, cursor, claude-code. It uses stdio and sse and http transport.

Is Vulnerable Mcp Servers Lab actively maintained?

Vulnerable Mcp Servers Lab is less actively maintained — last commit was 163 days ago. It has 259 GitHub stars.