Dvmcp – Damn Vulnerable MCP Server for Security Testing

I built a deliberately vulnerable MCP (Model Context Protocol) server for security testing and scanner validation. 10 intentional vulnerabilities covering the OWASP MCP Top 10 -- auth bypass, command injection, SSRF, tool definition tampering, unsigned messages, and more.

One-click scan runs 12 tests in your browser with remediation guidance. Docker image available for local testing: docker pull razas/dvmcp

https://cheatsheetseries.owasp.org/cheatsheets/MCP_Security_...

Source: https://github.com/razashariff/dvmcp