OPEN-SOURCE TOOL · MIT-LICENSED · 139 TESTS
Open-source fuzzer for Model Context Protocol servers. Automated detection of tool poisoning, parameter injection, privilege escalation, side-channel exfiltration, sandbox escape, and prompt-to-RCE chains. The Surface 3 half of the Five Surfaces methodology.
What it tests
Twenty distinct risk classes across the Surface 3 attack catalog. Six representative capabilities below — each has multiple probe variants and configurable severity ratings.
01 · TOOL-DESCRIPTION POISONING
Injects adversarial instructions into tool descriptions sourced from config files, environment variables, and upstream APIs. Catalogs which descriptions the model treats as authoritative vs. which it correctly isolates as data. Twelve probe patterns covering invisible Unicode, second-level templating, and instruction-shaped strings.
02 · PARAMETER INJECTION
Targeted batteries for SQL injection (against db_query tools), command injection (against shell wrappers), path traversal (against file tools), and SSRF (against HTTP tools). Tests parameter provenance: can low-trust input flow into high-privilege calls without re-authorization?
03 · PRIVILEGE ESCALATION
Enumerates every pair of tools in the manifest and tests whether a low-trust tool's output can feed into a high-trust tool's input without explicit consent. Catches confused-deputy patterns and scope-creep compositions that single-tool tests miss.
04 · SIDE-CHANNEL EXFILTRATION
Detects exfiltration via DNS lookups, URL fetches, and log injection — the channels attackers use when the obvious egress paths are blocked. Includes detection for telemetry leakage through OTLP exporters that include prompt content in trace spans.
05 · SANDBOX ESCAPE
Battery against code-execution tools: process escape (os.system, subprocess.Popen, ctypes.CDLL), filesystem escape (/etc/passwd reads, out-of-sandbox writes), network escape (socket binds), and container escape (nsenter, /proc/<pid>/root). Verifies resource limits and host-isolation enforcement.
06 · PROMPT-TO-RCE CHAIN DETECTION
End-to-end testing of the attack path that turns user input into host code execution: user input → retrieval → model reasoning → tool invocation → sandbox escape. The chain is where the highest-severity 2026 findings have landed; mcp-fuzzer is built to catch it.
Provenance and validation
139 unit tests passing on Ubuntu, macOS, and Windows. CI runs against a panel of intentionally-vulnerable MCP servers (the test corpus) plus a panel of hardened ones (regression check that the fuzzer doesn’t false-positive on properly-built systems).
Two of the eight Vectorbreak case studies — MiniMax-M2 (16 findings, 12 HIGH) and gpt-oss:120b (38 findings, 36 HIGH) — surfaced their Surface 3 findings using this fuzzer in a direct-to-model configuration. The case studies are the falsifiable evidence that the test suite catches real high-severity issues.
The repo is in coordinated-disclosure window as of 2026-05-23. Public release will land on GitHub with documented configuration, a test panel of MCP servers, CI integration examples, and a contribution guide for adding probe patterns.
FREQUENTLY ASKED
FAQ
What is mcp-fuzzer?
mcp-fuzzer is an open-source testing harness for Model Context Protocol (MCP) servers, the AI agent-tool integration standard adopted by Claude, Cursor, and increasing numbers of agentic AI platforms. It implements Surface 3 (Tool-Call/MCP) of the Five Surfaces methodology — automated detection of tool poisoning, parameter injection, privilege escalation, sandbox escape, side-channel exfiltration, and prompt-to-RCE chains. MIT-licensed. Maintained by Vectorbreak.
What does it test?
Twenty distinct risk classes across the Surface 3 attack catalog. Six representative capabilities: tool-description poisoning, parameter injection, privilege escalation, side-channel exfiltration, sandbox escape, and prompt-to-RCE chain detection. Each capability has multiple probe variants — tool-description poisoning alone has twelve probe patterns covering invisible Unicode, second-level templating, instruction-shaped strings, and config-injection vectors.
How is it different from existing fuzzers?
Most existing AI security tools (promptfoo, Garak, Adversa) focus on Surface 1 (Input/Output) — prompt-injection batteries against the model directly. mcp-fuzzer targets Surface 3 specifically: the tool-invocation layer where agentic systems chain capabilities. It tests not just whether a single tool can be subverted, but whether tool composition unlocks unintended capabilities. The pair-enumeration logic for privilege-escalation testing is the differentiator.
What does the test suite cover?
139 unit tests passing on Ubuntu, macOS, and Windows. CI runs against a panel of intentionally-vulnerable MCP servers (the test corpus) plus a panel of hardened ones (regression check that the fuzzer doesn't false-positive on properly-built systems). Two of the eight Vectorbreak case studies — MiniMax-M2 (16 findings, 12 HIGH) and gpt-oss:120b (38 findings, 36 HIGH) — surfaced their Surface 3 findings using mcp-fuzzer.
How do I use it?
Public release is in coordinated-disclosure window as of 2026-05-23. Vectorbreak red-team clients receive private builds with engagement-specific probe additions. The MIT-licensed public release will land on GitHub with documented configuration, a panel of test MCP servers, CI integration examples, and a contribution guide for adding new probe patterns. Request early access via [email protected].
How does it relate to the Five Surfaces methodology?
mcp-fuzzer is the automated half of Surface 3 (Tool-Call/MCP) testing in the Five Surfaces methodology. Surfaces 1, 2, 4, and 5 require significant manual creative testing; Surface 3 is the most automatable, which is why it gets a dedicated tool. The fuzzer is what the Pulse ($4,500, 1-day) and MCP Triage ($12,500, 1-week) engagement tiers run as their primary battery. Higher-tier engagements use mcp-fuzzer as one of multiple instruments.
Request early access.
Public release pending coordinated disclosure. Active engagements receive private builds. Researchers and security teams: get in touch with your use case.