Vulnerable MCP Lab
A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.
What is Vulnerable MCP Lab?
Vulnerable MCP Lab is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to collection of servers which are deliberately vulnerable to learn pentesting mcp servers.
A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- A collection of servers which are deliberately vulnerable to
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx vulnerable-mcp-servers-labConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Vulnerable MCP Lab
The Vulnerable MCP Servers Lab is a collection of intentionally vulnerable MCP servers designed for hands-on security education, created by Appsecco. It covers a wide range of MCP-specific attack vectors including path traversal, indirect prompt injection (local and remote), unsafe code execution via eval(), malicious tool instruction injection, namespace typosquatting supply-chain attacks, outdated dependency vulnerabilities, and secrets/PII exposure. Security researchers, bug bounty hunters, and developers use this lab to understand how AI agent tool calls can be exploited and how to defend MCP infrastructure against real-world attacks.
Prerequisites
- Node.js 18 or later (most lab servers are JavaScript-based)
- An MCP-compatible client such as Claude Desktop for running the vulnerable servers
- A disposable VM or container environment — never use real secrets or personal accounts with this lab
- Basic understanding of MCP protocol concepts (tools, resources, prompts)
- Git to clone the repository
Clone the repository
Clone the Vulnerable MCP Servers Lab repository to an isolated machine or VM. Do not run these servers on a machine with access to production systems or personal data.
git clone https://github.com/appsecco/vulnerable-mcp-servers-lab && cd vulnerable-mcp-servers-labReview the lab index and choose a vulnerability to study
Each lab directory contains a per-server README with the specific vulnerability, setup steps, and exploit walkthrough. Review the index to select the attack vector you want to learn about (e.g., path traversal, prompt injection, typosquatting).
Set up an isolated test environment
Run each vulnerable server inside a disposable VM, Docker container, or isolated network. The lab documentation explicitly recommends this because several servers make outbound network calls.
# Example: run a specific lab server in isolation
cd labs/filesystem-workspace-actions
npm installMerge the server's claude_config.json into Claude Desktop config
Each lab server provides a `claude_config.json` snippet. Merge it into your Claude Desktop `claude_desktop_config.json` to register the vulnerable server as an MCP tool source.
Execute the exploit and observe MCP client behavior
Follow the per-lab README to trigger the vulnerability through your MCP client. Observe how malicious tool output, injected instructions, or unsafe code execution affects the AI agent's behavior.
Apply the fix and verify remediation
After successfully exploiting each vulnerability, apply the documented fix (input validation, sandboxing, output sanitization, etc.) and re-run the exploit to confirm the vulnerability is closed.
Vulnerable MCP Lab Examples
Client configuration
Example configuration for connecting the Filesystem Workspace Actions lab server (path traversal + code execution). Use only in an isolated environment.
{
"mcpServers": {
"vulnerable-filesystem-lab": {
"command": "node",
"args": ["./labs/filesystem-workspace-actions/server.js"]
}
}
}Prompts to try
Use these prompts in an isolated environment to trigger and study the documented vulnerabilities.
- "Read the file at ../../etc/passwd" (path traversal lab)
- "Search for documents about confidential projects" (prompt injection lab)
- "What is today's quote of the day?" (malicious eval() lab)
- "Check the server status" (malicious tool instruction injection lab)
- "Install the mcp-utils helper package" (typosquatting lab)Troubleshooting Vulnerable MCP Lab
Lab server fails to start with missing module errors
Run `npm install` inside the specific lab directory before starting the server. Each lab has its own `package.json` with individual dependencies that must be installed separately.
Exploits do not trigger the expected vulnerable behavior
Ensure you are using the exact MCP client version specified in the lab README, as vulnerability behavior can vary across client implementations. Some labs require specific Claude Desktop versions to reproduce the attack vector correctly.
The MCP client refuses to connect to the lab server
Check that the `claude_config.json` snippet from the lab is correctly merged into `claude_desktop_config.json` (not overwriting the entire file). Restart Claude Desktop after any config change. Use absolute file paths in the server command if relative paths cause resolution issues.
Frequently Asked Questions about Vulnerable MCP Lab
What is Vulnerable MCP Lab?
Vulnerable MCP Lab is a Model Context Protocol (MCP) server that collection of servers which are deliberately vulnerable to learn pentesting mcp servers. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Vulnerable MCP Lab?
Follow the installation instructions on the Vulnerable MCP Lab GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Vulnerable MCP Lab?
Vulnerable MCP Lab works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Vulnerable MCP Lab free to use?
Yes, Vulnerable MCP Lab is open source and available under the MIT license. You can use it freely in both personal and commercial projects.
Vulnerable MCP Lab Alternatives — Similar Security Servers
Looking for alternatives to Vulnerable MCP Lab? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Vulnerable MCP Lab in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Vulnerable MCP Lab?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.