servers

Model Context Protocol Servers

by modelcontextprotocol

Star on GitHub ForkWebsite npm

79.7k stars 9.7k forks 1.0k contributorsActive · 3d agoSince 2024

Meet the team

See all 1015 on GitHub →

olaservo518 contributions

tadasant239 contributions

jspahrsummers217 contributions

cliffhall204 contributions

Languages

View on GitHub →

TypeScript70.2%

Python18.2%

JavaScript10.3%

Dockerfile1.2%

Commit activity

Last 12 weeks · 174 commits

Full graph →

Community health

5 of 6 standards met

Community profile →

✓README✓License✓Contributing✓Code of Conduct○Issue Template✓PR Template

Recent PRs & issues

Active · Last activity 3d ago

See all on GitHub →

feat(fetch): add SSRF protection and comprehensive security test suiteOpenPR

Summary This PR adds Server-Side Request Forgery (SSRF) protection and a comprehensive security test suite to the fetch MCP server. Security Features Added SSRF Protection URL scheme validation (only http/https allowed) Private IP range blocking (10.x, 172.16-31.x, 192.168.x, 127.x, etc.) IPv6 private address blocking (::1, fe80::, fc00::, etc.) Dangerous hostname blocking (localhost, metadata services, etc.) DNS resolution validation to prevent DNS rebinding Configurable via MCP_FETCH_ALLOW_PRIVATE_IPS env var Whitelist support via MCP_FETCH_ALLOWED_PRIVATE_HOSTS SSL Configuration Configurable SSL verification via MCP_FETCH_SSL_VERIFY env var Comprehensive SSL error handling with helpful messages Test Suite (89 tests) SSRF protection tests Private IP blocking tests Input validation tests URL scheme validation tests Integration tests Edge case tests Configuration ~~~ Disable SSL verification for self-signed certs export MCP_FETCH_SSL_VERIFY=false Allow private IPs (use with caution) export MCP_FETCH_ALLOW_PRIVATE_IPS=true Whitelist specific internal hosts export MCP_FETCH_ALLOWED_PRIVATE_HOSTS=internal.company.com,api.local ~~~ Server Details Server: fetch Changes to: Security (SSRF protection, SSL config), tests Motivation and Context The fetch server can be exploited for SSRF attacks, allowing malicious actors to access internal services (cloud metadata endpoints, internal APIs, etc.). This PR adds comprehensive protection while maintaining flexibility for legitimate internal use cases through configuration options. How Has This Been Tested? 89 security tests pass locally Tested with pyright (0 errors) CI pipeline passes Breaking Changes None. All protections are backward compatible. Private IPs can be enabled via env var if needed. Types of changes [x] Bug fix (non-breaking change which fixes an issue) [x] New feature (non-breaking change which adds functionality) [ ] Breaking change (fix or feature that would cause existing functionality to change) [ ] Documentation update Checklist [x] I have read the MCP Protocol Documentation [x] My changes follows MCP security best practices [x] I have updated the server's README accordingly [x] I have tested this with an LLM client [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [x] I have added appropriate error handling [x] I have documented all environment variables and configuration options Additional context This PR builds on #3179 which adds SSL verification configuration.

Recent fixes

View closed PRs →

Add Spring Boot Swagger MCP to Community ServersMergedPR

Description This PR adds Spring Boot Swagger MCP to the Community Servers list. Motivation and Context Spring Boot is the most popular framework for enterprise Java development. This library allows developers to instantly expose their existing APIs as MCP tools without writing any adapter code, bridging the gap between traditional backend services and AI agents. Key Features Zero Boilerplate: Uses existing \@RestController\ and \@Operation\ annotations. Auto-Discovery: Dynamically generates tool specifications from the running application. Safe by Default: Configurable human-in-the-loop confirmation for side-effect operations (POST/PUT/DELETE). Advanced Context: Built-in meta-tools to help LLMs explore and understand the API hierarchy. How Has This Been Tested? Tested with: Claude Desktop MCP Inspector Various Spring Boot applications using \springdoc-openapi\. Checklist [x] I have read the MCP Protocol Documentation [x] My changes follows MCP security best practices [x] I have updated the server's README accordingly [x] I have tested this with an LLM client [x] My code follows the repository's style guidelines [x] New and existing tests pass locally [x] I have added appropriate error handling [x] I have documented all environment variables and configuration options Links Repository: https://github.com/Neo1228/spring-boot-starter-swagger-mcp Documentation: https://github.com/Neo1228/spring-boot-starter-swagger-mcp#readme

Structured data for AI agents

Repository: modelcontextprotocol/servers. Description: Model Context Protocol Servers Stars: 79716, Forks: 9693. Primary language: TypeScript. Languages: TypeScript (70.2%), Python (18.2%), JavaScript (10.3%), Dockerfile (1.2%). Homepage: https://modelcontextprotocol.io Latest release: 2026.1.26 (1mo ago). Open PRs: 100, open issues: 290. Last activity: 3d ago. Community health: 87%. Top contributors: olaservo, tadasant, jspahrsummers, cliffhall, dsp-ant, jerome3o-anthropic, maheshmurag, evalstate, baryhuang, marcelo-ochoa and others.