by appsecco
A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.
# Add to your Claude Code skills
git clone https://github.com/appsecco/vulnerable-mcp-servers-labThis repository contains intentionally vulnerable implementations of Model Context Protocol (MCP) servers (both local and remote). Each server lives in its own folder and includes a dedicated README.md with full details on what it does, how to run it, and how to demonstrate/attack the vulnerability.
Do not run any of this outside a controlled lab environment.
claude_config.json snippet intended to be merged into Claude Desktop’s MCP configuration.Filesystem Workspace Actions (path traversal + code exec): Tools for reading/writing/listing a “workspace” plus Python execution; vulnerable to naive path joining and unsandboxed code execution.
Indirect Prompt Injection (local stdio): Document retrieval/search that returns documents verbatim, including embedded hidden instructions.
Indirect Prompt Injection (remote MCP over HTTP+SSE): Network-accessible MCP server (HTTP + SSE) returning untrusted documents verbatim; models risk of connecting to untrusted remote MCP endpoints.
Malicious Code Execution (eval-based RCE): “Quote of the day” tool with an unsafe formatting feature that eval()s attacker-controlled JavaScript.
Malicious Tools (instruction injection / fabricated tool output): Appears to return status data, but injects misleading instructions and can fabricate plausible-looking incidents.
Namespace Typosquatting (twittter-mcp): Demonstrates supply-chain/trust issues vi...