Back to Home
Agent-Hellboy icon

mcp-server-fuzzer

Verified Safe

by Agent-Hellboy

View Source

Overview

A comprehensive CLI-based fuzzing tool for Model Context Protocol (MCP) servers, designed to find vulnerabilities and validate server conformance through both tool argument fuzzing and protocol type fuzzing across multiple transport protocols (HTTP, SSE, Stdio, StreamableHTTP).

Installation

Run Command
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000

Environment Variables

  • MCP_FUZZER_TIMEOUT
  • MCP_FUZZER_LOG_LEVEL
  • MCP_FUZZER_VERBOSE
  • MCP_FUZZER_OUTPUT_DIR
  • MCP_FUZZER_SAFETY_ENABLED
  • MCP_FUZZER_FS_ROOT
  • MCP_FUZZER_AUTO_KILL
  • MCP_FUZZER_RETRY_WITH_SAFETY
  • MCP_FUZZER_MAX_CONCURRENCY
  • MCP_FUZZER_RETRY_COUNT
  • MCP_FUZZER_RETRY_DELAY
  • MCP_FUZZER_HTTP_TIMEOUT
  • MCP_FUZZER_SSE_TIMEOUT
  • MCP_FUZZER_STDIO_TIMEOUT
  • MCP_API_KEY
  • MCP_HEADER_NAME
  • MCP_PREFIX
  • MCP_USERNAME
  • MCP_PASSWORD
  • MCP_OAUTH_TOKEN
  • MCP_CUSTOM_HEADERS
  • MCP_TOOL_AUTH_MAPPING
  • API_HOST
  • API_PORT
  • AUTH_BEARER

Security Notes

The MCP Server Fuzzer is designed to generate potentially malicious inputs to find vulnerabilities in target MCP servers. However, the fuzzer itself has a highly robust and layered safety system to protect the host machine where it runs. This includes argument-level sanitization using a DangerDetector (blocking dangerous URLs, script injection, and command patterns), a filesystem sandboxing mechanism that confines file operations to a specified root directory, and a System Command Blocker that installs PATH shims to intercept and prevent the execution of dangerous system commands (like browser launches). Network policy controls (default-deny, allowlists, proxy stripping) further restrict outbound network access. These extensive internal safeguards make the fuzzer itself very safe to run on a host system, even while it's actively trying to exploit vulnerabilities in a target.

Similar Servers

mcp-interviewer

130

A Python CLI tool designed to evaluate, test, and generate reports on Model Context Protocol (MCP) servers to ensure compatibility and quality for LLM agent use cases.

Coding Agents
5
$Medium

mcp-watch

111

A comprehensive security scanner for Model Context Protocol (MCP) servers that detects various vulnerabilities in MCP implementations.

Analytics
8
$Low

mcp-use-cli

47

An interactive command-line interface (CLI) tool for connecting to and interacting with Model Context Protocol (MCP) servers using natural language, acting as an AI client that orchestrates LLM responses with external tools.

AI & ML
4
$Medium

mcp-security-scanner

18

A Python-based penetration testing tool designed to scan and identify vulnerabilities in Model Context Protocol (MCP) servers.

8
$Medium

Stats

Interest Score41
Security Score9
Cost ClassHigh
Avg Tokens750
Stars21
Forks2
Last Update2025-11-28

Tags

fuzzingsecurity testingprotocol testingMCPCLI toolvulnerability detectionsafety systemautomation