Vulnerable MCP Server

Overview

The Mcpsecurity MCP server is a deliberately vulnerable command‑execution platform built to aid security researchers in studying the intersection of LLMs, web frameworks, and database interfaces. By exposing a JSON‑RPC endpoint that accepts natural language queries, it demonstrates how an LLM can be coaxed into generating raw SQL or shell commands that are then executed with no safeguards. The server is intentionally unprotected—no authentication, no input validation, and no rate limiting—to provide a realistic playground for testing SQL injection (SQLi) and remote code execution (RCE) vectors against FastAPI, JSON‑RPC, and LLM‑driven decision logic.

At its core, the server combines four key technologies: FastAPI for a lightweight HTTP interface, SQLite as a persistent data store, Ollama‑hosted LLMs for interpreting user intent, and JSON‑RPC as the communication protocol. When a client sends a natural language request, the local LLM determines whether the intent should be translated into an SQL statement or a shell command. The resulting query is then executed directly against the SQLite database or run in the host’s terminal, with the output returned to the caller. This tight coupling between language understanding and execution makes it an ideal target for evaluating how easily a malicious prompt can trigger dangerous operations.

For developers working with AI assistants, Mcpsecurity offers a clear illustration of the risks that arise when LLMs are granted direct access to system resources. By exposing a minimal yet complete example of command routing, developers can experiment with mitigation strategies—such as input sanitization layers, role‑based access controls, or sandboxed execution environments—within a controlled setting. The server’s auto‑initializing SQLite database with sample data provides an immediate test bed for SQLi scenarios, while the raw shell execution path enables RCE demonstrations.

Typical use cases include:

• CTF and red‑team exercises where participants must craft prompts that trigger unintended command execution.
• Security training workshops focused on LLM prompt injection and defensive coding practices.
• Penetration testing toolchains that integrate LLMs to generate attack vectors against web services.
• Research into safe‑by‑design LLM integration, where developers can prototype and validate isolation techniques before deploying in production.

Because the server’s architecture is deliberately minimal, it can be dropped into existing AI workflows with ease. A developer simply points an LLM‑powered assistant at the JSON‑RPC endpoint and can observe how natural language is translated into concrete actions. The resulting insights help teams understand the importance of guarding LLM outputs, enforcing least‑privilege principles, and designing robust input validation pipelines. In short, Mcpsecurity serves as both a cautionary example and a practical testing ground for building secure AI‑augmented systems.