Access the OSV (Open Source Vulnerabilities) database for vulnerability information. Query vulnerabilities by package version or commit, batch query multiple packages, and get detailed vulnerability information by ID.
An MCP (Model Context Protocol) server that provides access to the OSV (Open Source Vulnerabilities) database.
This project implements an SSE-based MCP server that allows LLM-powered applications to query the OSV database for vulnerability information. The server provides tools for:
# Clone the repository
git clone https://github.com/StacklokLabs/osv-mcp.git
cd osv-mcp
# Build the server
task build
The easiest way to run the OSV MCP server is using ToolHive, which provides secure, containerized deployment of MCP servers:
# Install ToolHive (if not already installed)
# See: https://docs.stacklok.com/toolhive/guides-cli/install
# Register a supported client so ToolHive can auto-configure your environment
thv client setup
# Run the OSV MCP server (packaged as 'osv' in ToolHive)
thv run osv
# List running servers
thv list
# Get detailed information about the server
thv registry info osv
The server will be available to your MCP-compatible clients and can query the OSV database for vulnerability information.
The server can be configured using environment variables:
MCP_PORT
: The port number to run the server on (default: 8080)
MCP_TRANSPORT
: The transport mode for the server (default: sse
)
sse
, streamable-http
Example:
# Run on port 3000
MCP_PORT=3000 ./build/osv-mcp-server
# Run on default port 8080
./build/osv-mcp-server
The server provides the following MCP tools:
Query for vulnerabilities affecting a specific package version or commit.
Input Schema:
{
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
Query for vulnerabilities affecting multiple packages or commits at once.
Input Schema:
{
"type": "object",
"properties": {
"queries": {
"type": "array",
"description": "Array of query objects",
"items": {
"type": "object",
"properties": {
"commit": {
"type": "string",
"description": "The commit hash to query for. If specified, version should not be set."
},
"version": {
"type": "string",
"description": "The version string to query for. If specified, commit should not be set."
},
"package_name": {
"type": "string",
"description": "The name of the package."
},
"ecosystem": {
"type": "string",
"description": "The ecosystem for this package (e.g., PyPI, npm, Go)."
},
"purl": {
"type": "string",
"description": "The package URL for this package. If purl is used, package_name and ecosystem should not be set."
}
}
}
}
},
"required": ["queries"]
}
Get details for a specific vulnerability by ID.
Input Schema:
{
"type": "object",
"properties": {
"id": {
"type": "string",
"description": "The OSV vulnerability ID"
}
},
"required": ["id"]
}
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
}
{
"commit": "6879efc2c1596d11a6a6ad296f80063b558d5e0f"
}
{
"queries": [
{
"package_name": "lodash",
"ecosystem": "npm",
"version": "4.17.15"
},
{
"package_name": "jinja2",
"ecosystem": "PyPI",
"version": "2.4.1"
}
]
}
{
"id": "GHSA-vqj2-4v8m-8vrq"
}
task test
task lint
task fmt
We welcome contributions to this MCP server! If you'd like to contribute, please review the CONTRIBUTING guide for details on how to get started.
If you run into a bug or have a feature request, please
open an issue in the
repository or join us in the #mcp-servers
channel on our
community Discord server.
This project is licensed under the Apache v2 License - see the LICENSE file for details.
Enables AI assistants to query, read, and move data on DICOM servers such as PACS and VNA for medical imaging.
A server for full integration with Oracle Database. Requires Oracle Instant Client libraries.
Access the NFTGo Developer API for comprehensive NFT data and analytics. Requires an NFTGo API key.
An MCP server for the Chroma embedding database, providing persistent, searchable working memory for AI-assisted development with features like automated context recall and codebase indexing.
A production-ready MCP server for Customer Relationship Management (CRM) functionality, built with TypeScript and SQLite.
Access financial statements, including income, balance sheets, and cash flow, for companies listed on the Securities Exchange of Thailand (SET).
A lightweight server to connect AI assistants with Kintone applications and data.
A read-only MCP server for querying live Google Directory data using the CData JDBC Driver.
Manage and query databases, tenants, users, auth using LLMs
A local, high-performance memory server for AI agents, built with SQLite, vector embeddings, and a knowledge graph. Packaged for npm and Docker.