CLI fuzzing for MCP servers
Tool fuzzing β’ Protocol fuzzing β’ HTTP/SSE/stdio/StreamableHTTP β’ Safety controls β’ Rich reporting
Docs Site β’ Getting Started β’ CLI Reference
MCP Server Fuzzer tests MCP servers by fuzzing:
- tool arguments
- protocol request types
- resource and prompt request flows
- multiple transports:
http,sse,stdio, andstreamablehttp
It includes optional safety controls such as filesystem sandboxing, PATH-based command blocking, and network restrictions for safer local testing.
Beyond protocol/transport errors, runs are classified into categorized findings
(written to <output-dir>/findings.json, with per-crash repros under
<output-dir>/crashes/, a compact CI summary at
<output-dir>/run_summary.json, and summarized on stdout):
crashβ server process terminated abnormally (segfault/abort/panic or non-zero exit); captures the signal and a stderr tailauth_bypassβ a protected tool answered an unauthenticated callinjection_reflectionβ a dangerous input token was echoed back verbatimoversized_responseβ response exceeded the read cap (resource exhaustion)hangβ request timed out (deadlock / infinite loop / ReDoS)internal_errorβ JSON-RPC-32603(unhandled server-side exception)error_leakageβ stack trace / panic leaked in outputmemory_growthβ server RSS grew multi-fold across runs (stdio targets)non_determinismβ identical input produced differing outcomesaccepted_malformedβ server returned a non-error response to an attack-pattern or schema-invalid fuzz input; repeated identical evidence is collapsed into one finding with run counts and a response sampleperformance_outlierβ response time far above the per-target median
findings.json is always written for completed sessions, even when no findings
are present ({"findings": [], "count": 0}), so CI jobs can assert that report
generation succeeded separately from whether issues were discovered.
run_summary.json records whether the run completed or was blocked, plus
tool/protocol counts and run totals for simple CI assertions.
Tip: for compiled-language servers (Go/C/C++/Rust), run the target under a sanitizer or race build so memory bugs surface as observable crashes.
Requires Python 3.10+.
# PyPI
pip install mcp-fuzzer
# From source
git clone --recursive https://github.com/Agent-Hellboy/mcp-server-fuzzer.git
cd mcp-server-fuzzer
pip install -e .Docker is also supported:
docker build -t mcp-fuzzer:latest .
docker run --rm mcp-fuzzer:latest --helppip install "mcp[cli]" uvicorn
python3 examples/test_server.pyThat server uses the official Python MCP SDK, listens on
http://localhost:8000/mcp/, and exposes:
test_toolecho_toolsecure_toolrequiringAuthorization: Bearer secret123
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000/mcp/ --runs 10mcp-fuzzer --mode protocol --protocol-type InitializeRequest \
--protocol http --endpoint http://localhost:8000/mcp/ --runs-per-type 5mcp-fuzzer --mode all --phase both --protocol http --endpoint http://localhost:8000/mcp/# Enable command blocking + safety reporting
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000/mcp/ \
--enable-safety-system --safety-report
# Export results
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000/mcp/ \
--export-csv results.csv --export-html results.html
# Use auth config for the bundled secure_tool example
mcp-fuzzer --mode tools --protocol http --endpoint http://localhost:8000/mcp/ \
--auth-config examples/auth_config.json
# Load settings from YAML
mcp-fuzzer --config config.yamlThis repository bundles:
- an official Python MCP SDK HTTP example:
examples/test_server.py - an official Go MCP SDK stdio example:
examples/go_stdio_server - an official TypeScript MCP SDK stdio example:
examples/typescript-stdio-server - a StreamableHTTP example:
examples/streamable_http_server.py
For other stdio usage, point the fuzzer at your own server:
mcp-fuzzer --mode tools --protocol stdio --endpoint "python my_server.py" \
--enable-safety-system --fs-root /tmp/mcp-safeMore runnable example flows are documented in
examples/README.md.
Keep the README for the basics. Use the docs for everything else:
MIT. See LICENSE.