Damn Vulnerable Model Context Protocol (DVMCP)
Author: harishsg993010
Description: A deliberately vulnerable Python MCP server/lab for educational purposes, containing 10 security challenges (easy/medium/hard) demonstrating common MCP/LLM integration vulnerabilities (e.g., prompt injection, tool poisoning, excessive permissions, rug pulls, tool shadowing, indirect prompt injection, token theft, malicious code execution, remote access control, multi-vector chains). Intended for learning and research; not for production use. Docker run exposes challenge servers on ports 9001–9010; Linux/Docker recommended (Windows noted as unstable).
Stars: 1.3k
Forks: 140
License: MIT License
Category: Specialized
Overview
Installation
docker build -t dvmcp .
docker run -p 9001-9010:9001-9010 dvmcpFAQs
How do I connect CLINE in VS Code to DVMCP challenge servers using SSE?
Add the server configuration to CLINE's settings JSON by opening VS Code settings, locating the MCP Servers section, and inserting an entry with the challenge name as key and the localhost URL as value. CLINE automatically establishes the SSE connection when you save the configuration and restart the extension or reload the window.
What mitigations does DVMCP recommend for preventing tool shadowing and rug pull attacks in production MCP servers?
The content describes tool shadowing and rug pull vulnerabilities but doesn't detail specific mitigations. The official solutions guide linked in the article contains exploitation steps and mitigation strategies for all challenges, including Challenges 4 and 5. You'll need to review that guide directly for the recommended defenses against behavior-switching tools and malicious server impersonation.
What are the 10 vulnerability types covered by DVMCP and how do they map to real-world MCP attack scenarios?
DVMCP covers prompt injection, tool poisoning, excessive permissions, rug pull attacks, tool shadowing, indirect prompt injection, token theft, malicious code execution, remote access control, and multi-vector attacks. These vulnerabilities span unsanitized inputs, malicious tool descriptions, overly broad file access, post-approval behavior changes, server impersonation, attacks via external data, insecure credential storage, unvalidated interpreter input, and chained exploits.
How can I use DVMCP to validate whether my MCP security scanner detects tool poisoning and prompt injection?
Point your scanner at Challenge 1 (port 8001) for basic prompt injection and Challenge 2 (port 8002) for tool poisoning, then compare detections against the official solutions guide to identify which vulnerability patterns your scanner misses. Run both challenges independently to isolate false negatives, then adjust scanner rules before testing against real MCP servers.
Why does DVMCP have compatibility issues with Claude Desktop and Cursor, and are there workarounds?
DVMCP faces compatibility issues with Claude Desktop and Cursor due to underlying infrastructure problems: an SSE reset bug in Docker and a FastMCP framework bug. A community-contributed fix exists in pull request twenty-five but remains unmerged. Until these are resolved, the recommended workaround is using CLINE with SSE connections instead.
What is the difference between DVMCP and MCP Hammer for MCP security training?
DVMCP offers structured progression with ten challenges across three difficulty levels, complete with official solutions and exploitation guides. MCP Hammer focuses narrowly on tool poisoning and text injection without difficulty tiers or documented solutions, making it better suited for targeted demos than comprehensive training programs.