Releases: sahiloj/MCPScan
Releases · sahiloj/MCPScan
MCPScan v0.1.0 — Initial Public Release
MCPScan v0.1.0
The first public release of MCPScan — an offensive security auditor for Model Context Protocol (MCP) servers.
What it does
Connects to MCP servers (stdio, HTTP, SSE), enumerates all tools, resources, and prompts, then runs 8 security check categories:
- Tool Poisoning (MCP-1xx) — hidden Unicode, prompt injection, base64 payloads, markdown exfiltration
- Credential Leakage (MCP-2xx) — AWS keys, API tokens, JWTs, private keys, connection strings
- Overprivileged Tools (MCP-3xx) — dangerous capability combinations, unrestricted path access
- Auth Missing (MCP-4xx) — unauthenticated servers, CORS wildcards, 0.0.0.0 binding
- Session Hijacking (MCP-5xx) — session IDs in URLs, predictable IDs, insecure cookie flags
- SSRF Vectors (MCP-6xx) — user-supplied URL parameters, webhook endpoints
- RCE Vectors (MCP-7xx) — shell/exec parameters, code eval tools
- Supply Chain (MCP-8xx) — CVE version ranges, missing lockfiles, typosquatted packages
CVEs covered
| CVE | CVSS | Package |
|---|---|---|
| CVE-2025-6514 | 9.6 | mcp-remote — arbitrary RCE |
| CVE-2025-49596 | 9.4 | @modelcontextprotocol/inspector — unauthenticated RCE |
| CVE-2025-53967 | 8.2 | figma-developer-mcp — command injection |
| CVE-2026-25536 | 7.5 | @modelcontextprotocol/sdk — data leakage |
| CVE-2025-59536 | 9.1 | @anthropic-ai/claude-code — RCE + token exfil |
Output formats
Terminal (colored), JSON, and SARIF 2.1.0 for GitHub Code Scanning integration.
Quick start
npm install && npm run build
node dist/cli.js scan --command "npx" --args "-y @modelcontextprotocol/server-filesystem /tmp"
node dist/cli.js scan --all-configs