Vulnerable MCP Lab

v1.0.0Securitystable

A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.

ai-red-teamingai-researchappseccobugbountyhacking
Share:
257
Stars
0
Downloads
0
Weekly
0/5

What is Vulnerable MCP Lab?

Vulnerable MCP Lab is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to collection of servers which are deliberately vulnerable to learn pentesting mcp servers.

A collection of servers which are deliberately vulnerable to learn Pentesting MCP Servers.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A collection of servers which are deliberately vulnerable to

Use Cases

Learn pentesting and security vulnerabilities with intentionally vulnerable servers.
Practice bug bounty techniques on MCP infrastructure.
Understand MCP client security through hands-on labs.
appsecco

Maintainer

LicenseMIT
Languagejavascript
Versionv1.0.0
UpdatedMay 18, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx vulnerable-mcp-servers-lab

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Vulnerable MCP Lab

The Vulnerable MCP Servers Lab is a collection of intentionally vulnerable MCP servers designed for hands-on security education, created by Appsecco. It covers a wide range of MCP-specific attack vectors including path traversal, indirect prompt injection (local and remote), unsafe code execution via eval(), malicious tool instruction injection, namespace typosquatting supply-chain attacks, outdated dependency vulnerabilities, and secrets/PII exposure. Security researchers, bug bounty hunters, and developers use this lab to understand how AI agent tool calls can be exploited and how to defend MCP infrastructure against real-world attacks.

Prerequisites

  • Node.js 18 or later (most lab servers are JavaScript-based)
  • An MCP-compatible client such as Claude Desktop for running the vulnerable servers
  • A disposable VM or container environment — never use real secrets or personal accounts with this lab
  • Basic understanding of MCP protocol concepts (tools, resources, prompts)
  • Git to clone the repository
1

Clone the repository

Clone the Vulnerable MCP Servers Lab repository to an isolated machine or VM. Do not run these servers on a machine with access to production systems or personal data.

git clone https://github.com/appsecco/vulnerable-mcp-servers-lab && cd vulnerable-mcp-servers-lab
2

Review the lab index and choose a vulnerability to study

Each lab directory contains a per-server README with the specific vulnerability, setup steps, and exploit walkthrough. Review the index to select the attack vector you want to learn about (e.g., path traversal, prompt injection, typosquatting).

3

Set up an isolated test environment

Run each vulnerable server inside a disposable VM, Docker container, or isolated network. The lab documentation explicitly recommends this because several servers make outbound network calls.

# Example: run a specific lab server in isolation
cd labs/filesystem-workspace-actions
npm install
4

Merge the server's claude_config.json into Claude Desktop config

Each lab server provides a `claude_config.json` snippet. Merge it into your Claude Desktop `claude_desktop_config.json` to register the vulnerable server as an MCP tool source.

5

Execute the exploit and observe MCP client behavior

Follow the per-lab README to trigger the vulnerability through your MCP client. Observe how malicious tool output, injected instructions, or unsafe code execution affects the AI agent's behavior.

6

Apply the fix and verify remediation

After successfully exploiting each vulnerability, apply the documented fix (input validation, sandboxing, output sanitization, etc.) and re-run the exploit to confirm the vulnerability is closed.

Vulnerable MCP Lab Examples

Client configuration

Example configuration for connecting the Filesystem Workspace Actions lab server (path traversal + code execution). Use only in an isolated environment.

{
  "mcpServers": {
    "vulnerable-filesystem-lab": {
      "command": "node",
      "args": ["./labs/filesystem-workspace-actions/server.js"]
    }
  }
}

Prompts to try

Use these prompts in an isolated environment to trigger and study the documented vulnerabilities.

- "Read the file at ../../etc/passwd" (path traversal lab)
- "Search for documents about confidential projects" (prompt injection lab)
- "What is today's quote of the day?" (malicious eval() lab)
- "Check the server status" (malicious tool instruction injection lab)
- "Install the mcp-utils helper package" (typosquatting lab)

Troubleshooting Vulnerable MCP Lab

Lab server fails to start with missing module errors

Run `npm install` inside the specific lab directory before starting the server. Each lab has its own `package.json` with individual dependencies that must be installed separately.

Exploits do not trigger the expected vulnerable behavior

Ensure you are using the exact MCP client version specified in the lab README, as vulnerability behavior can vary across client implementations. Some labs require specific Claude Desktop versions to reproduce the attack vector correctly.

The MCP client refuses to connect to the lab server

Check that the `claude_config.json` snippet from the lab is correctly merged into `claude_desktop_config.json` (not overwriting the entire file). Restart Claude Desktop after any config change. Use absolute file paths in the server command if relative paths cause resolution issues.

Frequently Asked Questions about Vulnerable MCP Lab

What is Vulnerable MCP Lab?

Vulnerable MCP Lab is a Model Context Protocol (MCP) server that collection of servers which are deliberately vulnerable to learn pentesting mcp servers. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Vulnerable MCP Lab?

Follow the installation instructions on the Vulnerable MCP Lab GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Vulnerable MCP Lab?

Vulnerable MCP Lab works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Vulnerable MCP Lab free to use?

Yes, Vulnerable MCP Lab is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

Vulnerable MCP Lab Alternatives — Similar Security Servers

Looking for alternatives to Vulnerable MCP Lab? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "vulnerable-mcp-servers-lab": { "command": "npx", "args": ["-y", "vulnerable-mcp-servers-lab"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Vulnerable MCP Lab?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides