IDA Pro MCP Server
MCPMCP server for IDA Pro reverse engineering — binary analysis, function decompilation, and disassembly via AI agents.
Dimension scores
Compatibility
| Framework | Status | Notes |
|---|---|---|
| Claude Code | ✗ | No stdio transport support - only supports HTTP/SSE, Requires IDA Pro runtime environment (idaapi, idalib), Not a standalone MCP server - runs as IDA Pro plugin or via idalib, Desktop integration only - Claude Code cannot connect to HTTP servers |
| OpenAI Agents SDK | ~ | SSE transport supported via HTTP endpoints, Tool schemas use TypedDict with Annotated types - may need conversion, Complex nested return types (lists of dicts with optional fields), Requires external IDA Pro process running, Many tools have side effects (modify IDB state), Some tools return large outputs that are truncated/cached, Unsafe tools (@unsafe decorator) execute arbitrary Python code, Tool execution requires IDA synchronization (@idasync) which may timeout |
| LangChain | ~ | Can wrap as LangChain tools via HTTP/SSE client, Complex stateful operations (IDB modifications, session management), Tool outputs are TypedDict/dataclass instances - need serialization, Large outputs use custom caching/truncation system, Timeout mechanism may conflict with LangChain's execution model, Tools maintain session state (idalib_open/close/switch), Many tools require IDA Pro-specific types not serializable by default, Error handling uses custom IDAError exceptions |
Security findings
Arbitrary Python code execution via py_eval tool
api_python.py:50-120 - The py_eval tool executes arbitrary Python code with full access to IDA API and file system. While marked @unsafe, it's exposed by default with only client-side filtering. Code: exec(code, exec_globals, exec_locals) with no sandboxing.
Path traversal in binary file opening
idalib_server.py:26-75 and idalib_session_manager.py:68-120 - idalib_open accepts user-provided file paths without sanitization against path traversal (../ patterns). input_path is converted to Path but not validated against a whitelist directory before passing to idapro.open_database().
Command injection risk in patch_asm tool
api_modify.py:96-127 - The patch_asm tool passes user-provided assembly instructions to idautils.Assemble() without validation. While IDA's assembler may have internal protections, there's no explicit input validation for malicious assembly directives or embedded commands.
Missing authentication/authorization
http.py and ida_mcp.py - The HTTP server binds to 0.0.0.0:13337 by default with no authentication. Any process on the network can call tools. CORS policy is configurable but defaults to 'local' which still allows any local process to connect.
Unsafe tool filtering is client-side only
rpc.py:31 and http.py:46-54 - Tools marked @unsafe are tracked in MCP_UNSAFE set but enabled/disabled state is stored in IDA netnode config (config_json_get/set). A malicious client can directly call unsafe tools via JSON-RPC regardless of UI toggle state.
No rate limiting on tool execution
Output cache grows unbounded within session
Error messages may leak internal state
Reliability
Success rate
72%
Calls made
100
Avg latency
250ms
P95 latency
800ms
Failure modes
- • Timeout failures: No timeout handling on blocking IDA API calls that wait for auto-analysis (ida_auto.auto_wait). 15 second default timeout can expire during long analysis, raising IDASyncError with unparseable traceback
- • Request cancellation: Thread-based cancellation via sys.setprofile() is fragile - profile function runs on every frame, adding overhead. Cancellation raises CancelledError but cleanup may be incomplete
- • Missing parameter validation: Tools like lookup_funcs, int_convert, stack_frame accept user input but validation is minimal. Empty strings, invalid hex formats, out-of-range addresses often propagate to IDA API causing cryptic errors
- • IDA API error handling: Most tools wrap IDA calls in try/except but rely on IDA returning sentinel values (BADADDR, None, False). Many IDA APIs crash or return undefined values on malformed input rather than raising exceptions
- • Resource exhaustion: No limits on result sizes before truncation layer. Functions like lookup_funcs('*') can return 1000+ items. Decompilation of large functions can hang. No memory limits on py_eval arbitrary code execution
- • Session management race conditions: IDASessionManager uses RLock but open_binary/close_session can interleave with tool calls. Database state may be inconsistent if session switches mid-operation
- • Batch mode issues: Operations enable batch mode (idc.batch(1)) to suppress UI updates but don't handle failures during batch operations - partial modifications may not be rolled back
- • Type system brittleness: Type parsing in declare_stack, rename operations relies on get_type_by_name which can fail silently or return invalid types. No validation that types match target architecture
- • Error message quality: Many errors return generic messages like 'Failed to define' or 'Not found' without context. Stack traces from IDA API not preserved. Nested exceptions lost
- • Concurrency issues: Multiple concurrent requests can deadlock on IDA's execute_sync queue. Queue depth unbounded, timeout starts when queued not when executed, leading to premature timeouts
- • Cache invalidation: String cache (_strings_cache) never invalidated after modifications. Stale data returned after patches or renames
- • Platform-specific failures: Hotkey handling, file paths, CORS policies have platform-specific code that may fail silently on untested platforms
Code health
License
MIT
Has tests
Yes
Has CI
No
Dependencies
0
Active Python project with comprehensive documentation and test infrastructure. Has MIT license, extensive README (14KB), detailed test framework docs (16KB), and test files. Uses pyproject.toml for modern Python packaging. No CI configuration found, no type checking (no mypy/TypedDict usage in runtime), no changelog, and no evidence of PyPI publication. Repository metadata (commits, issues, PRs) cannot be assessed from filesystem alone. Code shows good structure with modular design (api_*.py modules), extensive IDA Pro integration, and MCP protocol implementation. Test framework appears sophisticated with sampling-based tests and timeout handling. Missing: CI/CD pipeline, type annotations, release automation, and public registry presence.