cve-mcp-server

Queries CVE records across NVD, OSV, and GitHub Advisory databases simultaneously, aggregating vulnerability metadata (CVSS scores, descriptions, affected versions, patch status) into unified response objects. Implements parallel API calls with fallback routing when primary sources are unavailable, returning structured vulnerability intelligence with source attribution for audit trails.

Integrates FIRST's Exploit Prediction Scoring System (EPSS) API to compute exploit likelihood percentiles for CVEs, translating raw CVSS scores into real-world exploitability predictions. Returns percentile rankings (0-100) indicating the probability a vulnerability will be exploited in the wild, enabling risk-based prioritization of remediation efforts over pure severity metrics.

Monitors vulnerability feeds (NVD, CISA KEV, OSV, vendor advisories) for new disclosures matching specified criteria (affected products, severity thresholds, threat actor attribution). Implements filtering and deduplication logic to reduce alert fatigue, delivering structured notifications with context (impact assessment, remediation guidance, affected asset count) to configured channels (email, Slack, webhook).

Correlates vulnerability data with threat actor profiles, known attack campaigns, and malware families using MITRE ATT&CK, VirusTotal, and threat intelligence feeds. Maps CVEs to specific threat groups (e.g., APT28, Lazarus) known to exploit them, enabling threat-driven vulnerability prioritization and incident correlation. Implements entity linking to connect disparate threat intelligence sources into coherent threat profiles.

Implements the Model Context Protocol (MCP) server specification, exposing all 27 security tools as callable functions with standardized JSON-RPC interfaces. Handles request routing, parameter validation, error handling, and response serialization according to MCP specification. Enables seamless integration with Claude and other MCP-compatible clients through automatic tool discovery and schema advertisement.

Implements secure credential management for 21+ external APIs (NVD, EPSS, CISA KEV, Shodan, VirusTotal, etc.) with support for environment variables, configuration files, and secure credential stores. Handles API key rotation, rate limit tracking, and provider failover logic. Enables seamless switching between API providers (e.g., multiple VirusTotal API keys for rate limit distribution) without code changes.

Implements comprehensive error handling with automatic fallback routing when primary data sources are unavailable. Catches API failures, rate limits, timeouts, and malformed responses, routing requests to alternative providers or returning cached/partial results. Provides detailed error context to clients enabling informed decision-making when data is incomplete or unavailable.

Implements schema-based output formatting for all tool responses, ensuring consistent JSON structure across 27 different APIs with varying response formats. Parses and normalizes heterogeneous API responses into unified data models (e.g., all vulnerability records conform to a standard schema regardless of source). Enables reliable downstream processing by Claude and other clients through guaranteed output structure.

Implements intelligent caching of API responses with configurable TTLs (time-to-live) based on data volatility. Caches stable data (CVE descriptions, MITRE ATT&CK mappings) with long TTLs (24+ hours), while caching volatile data (EPSS scores, CISA KEV status) with short TTLs (1-4 hours). Reduces API calls and latency for repeated queries, enabling faster response times and lower API quota consumption.

Implements comprehensive logging of all API calls, tool invocations, and results with structured logging format (JSON) suitable for log aggregation and analysis. Maintains audit trails showing who queried what data, when, and what results were returned. Enables compliance documentation for regulatory requirements (HIPAA, SOC 2, PCI-DSS) by providing detailed records of security tool usage and data access.

Provides auto-generated documentation for all 27 tools including parameter descriptions, example invocations, and expected outputs. Implements tool discovery endpoint that Claude can query to understand available tools and their capabilities. Supports both human-readable documentation (Markdown) and machine-readable schemas (JSON Schema).

Queries CISA's authoritative KEV catalog of vulnerabilities with confirmed active exploitation in the wild, returning structured records of vulnerability IDs, exploit availability, due dates for federal agency patching, and threat actor attribution when available. Implements real-time filtering against the continuously updated CISA KEV dataset to identify which vulnerabilities in a portfolio have documented exploits.

Maps CVEs and vulnerabilities to MITRE ATT&CK tactics, techniques, and sub-techniques, enabling threat modeling by linking exploits to adversary behavior patterns. Queries the MITRE ATT&CK knowledge base to return structured technique IDs, tactic categories (e.g., Initial Access, Privilege Escalation), and associated threat groups known to use specific attack chains, facilitating threat-driven vulnerability prioritization.

Integrates Shodan API to search for internet-exposed devices, services, and infrastructure matching specified criteria (IP ranges, ports, banners, hostnames). Returns structured results including device metadata (OS, service version, geolocation), vulnerability indicators, and exposure risk scores. Enables reconnaissance of attack surface by identifying which systems running vulnerable software are publicly accessible.

Queries VirusTotal API to check files, URLs, and IP addresses against 90+ antivirus engines and threat intelligence sources, returning detection ratios, malware family classifications, and behavioral analysis results. Enables correlation of vulnerability exploits with known malware payloads, identifying which CVEs are actively weaponized and distributed in the wild.

Implements direct querying of the National Vulnerability Database (NVD) with support for complex filtering by CVE ID, CWE (Common Weakness Enumeration), CVSS score ranges, publication date ranges, and affected product/vendor combinations. Returns paginated results with complete vulnerability records including descriptions, references, and configuration data, enabling comprehensive vulnerability research and portfolio analysis.

Queries the OSV database (maintained by Google and the Linux Foundation) for vulnerabilities in open-source packages across multiple ecosystems (npm, PyPI, Maven, Cargo, Go, Pub, NuGet, RubyGems). Returns ecosystem-specific metadata including affected version ranges, patch availability, and ecosystem-native advisory links. Enables rapid identification of vulnerable dependencies in software supply chains.

Synthesizes vulnerability data from multiple sources (CVE, CVSS, EPSS, CISA KEV, MITRE ATT&CK) to generate structured impact assessments and remediation recommendations. Analyzes vulnerability characteristics (exploitability, affected systems, patch availability, workarounds) to produce prioritized remediation guidance tailored to organizational context (industry, asset inventory, compliance requirements).

Processes lists of CVE IDs, package names, or IP addresses in bulk to generate comprehensive vulnerability portfolio reports. Implements parallel processing of multiple queries with aggregation of results into summary statistics (total vulnerabilities, severity distribution, exploitability trends, remediation recommendations). Outputs structured reports suitable for executive briefings, compliance documentation, or automated SLA tracking.