NEW: CVE-2026-39313 -- Unbounded memory allocation in mcp-framework. CVSS 8.7 HIGH. View on NVD | Reported by CyberSecAI Ltd
FOR SECURITY TESTING ONLY
Damn Vulnerable MCP Server
The deliberately insecure MCP server for security testing, education, and agent security validation. Map every vulnerability in the OWASP MCP Top 10.
10 Vulnerabilities
12 OWASP Checks
22 Security Controls
Standards-Backed
Built on real security standards, not just best guesses.
OWASP
MCP Security Cheat Sheet
Section 7 -- implementation reference for MCP message signing and tool verification.
IETF
6 Internet-Drafts
MCP security, agent trust, ATTP, agent identity, audit trails, and agent transport -- all submitted to the IETF.
OpenID Foundation
Agent Identity Claims
IETF Internet-Draft submitted extending OpenID Connect for autonomous AI agent identity verification.
Security Scanner
Run a live OWASP MCP Top 10 scan against this server from your browser.
Vulnerabilities
10 intentional vulnerabilities covering every OWASP MCP Top 10 category.
| ID | Vulnerability | Severity | OWASP MCP |
|---|---|---|---|
| MCP-001 | No authentication on any endpoint | Critical | MCP-07 |
| MCP-002 | Tool definition tampering (rug pull) | Critical | MCP-03 |
| MCP-003 | Command injection via tool arguments | Critical | MCP-05 |
| MCP-004 | No input validation | High | MCP-05 |
| MCP-005 | SSRF via resources/read | Critical | MCP-06 |
| MCP-006 | Data exfiltration (no response limits) | High | MCP-10 |
| MCP-007 | Replay attacks (no nonce/timestamp) | High | MCP-07 |
| MCP-008 | No rate limiting | Medium | MCP-08 |
| MCP-009 | Privilege escalation via sampling | Critical | MCP-02 |
| MCP-010 | Sensitive tools exposed | High | MCP-02 |
Tools Exposed
Every tool this server exposes, and the risk each one carries.
| Tool | Risk | What it does |
|---|---|---|
| run_command | Critical | Executes arbitrary shell commands |
| search_files | Critical | Command injection via find pattern |
| fetch_url | Critical | SSRF -- fetches any URL server-side |
| read_file | Critical | Reads any file (path traversal) |
| write_file | Critical | Writes to any file |
| query_database | Critical | SQL injection vector |
| list_processes | High | Exposes running processes |
| get_env_vars | Critical | Leaks all environment variables |
| admin_panel | Critical | Unauthenticated admin access |
| get_weather | Medium | Safe tool (rug pull target) |
Test It
Try the MCP endpoints directly with curl.
Initialize
curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"initialize","id":1,"params":{"clientInfo":{"name":"test"}}}'
List Tools
curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/list","id":2}'
Command Injection
curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/call","id":3,"params":{"name":"run_command","arguments":{"command":"whoami"}}}'
Read /etc/passwd
curl -X POST ${'{URL}'}/mcp -H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/call","id":4,"params":{"name":"read_file","arguments":{"path":"/etc/passwd"}}}'
Run Locally (Recommended)
For security testing, always use the Docker image locally. Do not point scanning tools at the hosted site.
Docker
docker pull razas/dvmcp docker run -p 3001:3001 razas/dvmcp
Verify: docker inspect razas/dvmcp --format '{{.Id}}'
Expected: sha256:fd3c41f4c44dd31b62fe9e963d48f5977d38a937d7caba66913719618cf66c27
License: BSL 1.1 -- Educational and security training use only. Commercial use requires Pro license.
Then visit http://localhost:3001
Usage Guide
How to use DVMCP for MCP security testing and education.
1. Run Locally
Pull the Docker image and run on your machine. This is the recommended approach for all security testing.
docker pull razas/dvmcp docker run -p 3001:3001 razas/dvmcp
sha256:fd3c41f4c44dd31b62fe9e963d48f5977d38a937d7caba66913719618cf66c27
2. Scan with security tools
Point your preferred security scanner at your local DVMCP instance. Import the MCP server URL and run active + passive scans.
Target: http://localhost:3001 Method: MCP Server Import
3. Scan with CLI
Use the agentpass-pentest tool to run all 12 OWASP MCP Top 10 checks.
pip install agentpass-pentest agentpass-pentest -t http://localhost:3001 --owasp-mcp
4. Manual Testing
Use curl or any HTTP client to send JSON-RPC requests directly to the MCP endpoint.
curl -X POST http://localhost:3001 \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"tools/list","id":1}'
Disclaimer
Important -- Read Before Use
- DVMCP is a deliberately vulnerable application designed for security testing and educational purposes only.
- Do NOT deploy DVMCP in any production environment or on any network accessible to untrusted users.
- Do NOT point automated scanning tools at the hosted version (dvmcp.co.uk). Use the Docker image locally for all security testing.
- The hosted version at dvmcp.co.uk is for personal, educational, and non-commercial use only. Use of the hosted service as part of, or in conjunction with, any commercial product or service is prohibited without a license from CyberSecAI Ltd.
- CyberSecAI Ltd accepts no liability for any damage, loss, or legal consequences arising from the use or misuse of this software.
- By using DVMCP you accept full responsibility for your actions and agree to use it only in environments you are authorised to test.
- DVMCP is licensed under the Business Source License 1.1. Free for non-commercial use. Commercial use requires a separate license from CyberSecAI Ltd.
- This software is provided "as is" without warranty of any kind, express or implied.
- DVMCP is an independent project. It is not affiliated with, endorsed by, or associated with Anthropic, the Model Context Protocol project, or the Linux Foundation.
References
Standards, specifications, and tools behind DVMCP.
- OWASP MCP Security Cheat Sheet
Section 7 -- MCP Message Signing
- IETF draft-sharif-mcps-secure-mcp
MCP Message Signing
- MCP Security Benchmark
22 controls, 6 sections
- MCP Specification
Model Context Protocol
- DVMCP on GitHub
Source code and documentation
- Cybersecify
MCP Security Scanner
DVMCP Pro
Enterprise MCP security training platform. Everything in Community, plus:
Community Edition FREE
- 10 vulnerabilities
- 12 OWASP MCP Top 10 checks
- Self-hosted Docker image
- Browser-based scanner
- curl test examples
- BSL 1.1 License (view)
AVAILABLE NOW
Pro Edition
- Everything in Community, plus:
- 25+ vulnerabilities
- MCP Server DAST scanning
- Agent Security Testing (OWASP Agentic AI Top 10)
- Agent identity verification testing
- Agent trust boundary testing
- Rogue agent injection simulation
- MCP tool poisoning resistance testing
- Agent credential leakage detection
- OWASP MCP Top 10 mapping per vulnerability
- EU AI Act compliance mapping
- Guided training modules (fix each vuln step-by-step)
- Team scoreboard and progress tracking
- Custom vulnerability injection
- PDF and JSON report export
- Dedicated hosted instances (per-org)
- Slack and webhook notifications
- Priority support