This OSV MCP server allows querying the OSV database for software vulnerabilities with the following capabilities:
Query for all CVE IDs associated with a specific package, optionally filtered by version and ecosystem (default: PyPI for Python packages)
Retrieve all affected versions of a package for a given CVE
Find all versions that fix a given CVE
Get a list of supported ecosystems and their corresponding programming languages or operating systems
Enables querying for package vulnerabilities in the PyPI ecosystem, fetching CVEs associated with packages and identifying affected and fixed versions
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@OSVshow me CVEs for requests package version 2.28.0"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
MCP Server For OSV
A lightweight MCP (Model Context Protocol) server for OSV Database API.
Example:
Tools Provided
Overview
name | description |
query_package_cve | List all the CVE IDs for a specific package. Specific version can be passed as well for more narrow scope CVE IDs. |
query_for_cve_affected | Query the OSV database for a CVE and return all affected versions of the package. |
query_for_cve_fix_versions | Query the OSV database for a CVE and return all versions that fix the vulnerability. |
get_ecosystems | Query the MCP for current supported ecosystems. |
Detailed Description
query_package_cve
Query the OSV database for a package and return the CVE IDs.
Input parameters:
package(string, required): The package name to queryversion(string, optional): The version of the package to query. If not specified, queries all versionsecosystem(string, optional): The ecosystem of the package. Defaults to "PyPI" for Python packages
Returns a list of CVE IDs with their details
query_for_cve_affected
Query the OSV database for a CVE and return all affected versions.
Input parameters:
cve(string, required): The CVE ID to query (e.g., "CVE-2018-1000805")
Returns a list of affected version strings
query_for_cve_fix_versions
Query the OSV database for a CVE and return all versions that fix the vulnerability.
Input parameters:
cve(string, required): The CVE ID to query (e.g., "CVE-2018-1000805")
Returns a list of fixed version strings
get_ecosystems
Query for all current supported ecosystems by the MCP servers.
Return a dict with the key being the ecosystem name and the value the programming language / OS.
Related MCP server: MCP Vulnerability Management System
Prerequisites
Python 3.11 or higher: This project requires Python 3.11 or newer.
# Check your Python version python --versionInstall uv: A fast Python package installer and resolver.
pip install uvOr use Homebrew:
brew install uv
Tested on
Cursor
Claude
Installation
Via Smithery:
npx -y @smithery/cli install @EdenYavin/OSV-MCP --client claudeLocally:
Clone the repo:
https://github.com/EdenYavin/OSV-MCP.gitConfigure your MCP Host (Cusrsor / Claude Desktop etc.):
{
"mcpServers": {
"osv-mcp": {
"command": "uv",
"args": ["--directory", "path-to/OSV-MCP", "run", "osv-server"],
"env": {}
}
}
}
Leave a review on
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.
Appeared in Searches
- MCP server for analyzing CVEs (Common Vulnerabilities and Exposures)
- CodeQL static analysis tool and semantic code analysis platform
- A server that scans projects for security vulnerabilities and recommends fixes
- Search for known security vulnerabilities on the NSIS website
- Automating guard duty alert validation and reporting process