Vulnerable MCP Server
@evrenyal
Vulnerable MCP Server
Overview
What is Vulnerable MCP Server?
An intentionally vulnerable MCP (Model Context Protocol) application designed for security research. It combines FastAPI, SQLite, a local Ollama LLM, and JSON-RPC to route natural language inputs to SQL queries or shell commands, enabling testing of SQL injection (SQLi) and remote code execution (RCE) vulnerabilities.
How to use Vulnerable MCP Server?
Clone the repository, run docker-compose up --build, then connect the Ollama and MCP containers to the same Docker network using docker network connect mcplab ollama and docker network connect mcplab mcp_internal and docker network connect mcplab mcp_remote. The server starts with an auto-initializing SQLite database and exposes JSON-RPC methods.
Key features of Vulnerable MCP Server
- LLM-based decision logic for command routing (SQL or CLI)
- Native execution of SQL and terminal commands
- Auto-initializing SQLite database with sample data
- Simple, pluggable JSON-RPC methods
- Vulnerable by design — suitable for offensive/defensive testing
Use cases of Vulnerable MCP Server
- Testing SQL injection (SQLi) in a controlled environment
- Testing remote code execution (RCE) via command injection
- Building capture-the-flag (CTF) challenges or security labs
- Evaluating LLM-based decision logic for security misuses
FAQ from Vulnerable MCP Server
Is this safe for production?
No. The app is intentionally insecure: it has no authentication, no input validation, and blindly executes raw SQL and shell commands as well as LLM responses.
What is the purpose of this server?
It is built for security research, CTFs, and offensive/defensive testing of SQLi and RCE vulnerabilities in LLM-driven systems.
What are the runtime dependencies?
Docker, a local Ollama instance with an LLM, and an isolated network environment. The server itself runs on FastAPI with SQLite.
Does it require authentication or access control?
No. The server explicitly lacks any authentication or access control mechanisms.
What kind of vulnerabilities does it simulate?
It simulates SQL injection (SQLi) via native SQL execution and remote code execution (RCE) via unrestricted shell command execution, both routed through LLM decision logic.