CVE Risk MCP Server

CVE lookups, KEV enrichment, and patch priority ranking.

monitoringcvesecurityvulnerabilitypatching
README.md

CVE Risk MCP Server

MCP server for CVE lookups, KEV enrichment, and “what should I patch first?” ranking. It implements the MCP tools/list + tools/call flow over stdio and returns structured risk assessments per CVE.

Features

  • CVE detail lookups with parsed CVSS v3/v4 metrics.
  • CISA KEV feed enrichment (primary + mirror fallback).
  • EPSS-style risk scoring with reasons and a priority label.
  • Batch ranking for patch queues.

Tools

  • cve_lookup
    • Inputs: cve_id, include_kev, include_epss
    • Output: CVE summary + KEV status + risk score
  • cve_rank
    • Inputs: cve_ids, include_kev, include_epss, fail_fast
    • Output: ranked list (highest risk first)
  • cve_patch_first
    • Inputs: cve_ids, top_n, include_kev, include_epss, fail_fast
    • Output: ranked list + top-N recommendations
  • cve_status
    • Inputs: none
    • Output: upstream status + cache stats (timestamps + last error summary)
  • cve_config
    • Inputs: none
    • Output: effective runtime config (URLs, cache, scoring, batch limits)
  • cve_refresh
    • Inputs: cve_ids, include_epss, refresh_kev
    • Output: cache warm/refresh summary
  • cve_export
    • Inputs: cve_ids, include_kev, include_epss, include_markdown, fail_fast
    • Output: ranked list + optional markdown summary

Quickstart

make setup
make check

Reliability knobs

  • --retries and --retry-backoff-seconds control bounded retries for transient HTTP failures (429/5xx + network errors).
  • Retry-After supports both delta-seconds and HTTP-date response headers.
  • --print-effective-config prints resolved settings and their source (CLI/config/env/built-ins) to debug precedence.
  • --cve-timeout, --kev-timeout, and --epss-timeout override the shared --timeout for per-source control.
  • --config (TOML) centralizes defaults. Precedence: CLI flags > config > env > built-ins.
  • MCP and JSON CLI responses now include structured error data for upstream failures.
  • Batch flows (cve_rank, cve_patch_first, cve_export) are fail-soft and return per-item errors without dropping successful results.
  • KEV/EPSS enrichment is best-effort: enrichment failures are recorded in errors, but results are still returned with missing enrichment fields.
  • Optional strict batch mode is available via fail_fast (MCP tool arg) or --fail-fast (JSON CLI).
  • --max-batch-size limits how many unique CVEs a batch request can process (0 disables).
  • --max-parallel controls controlled parallelism for batch CVE lookups (default: 1).
  • --cache-dir enables a persistent on-disk cache for CVE/KEV/EPSS responses (env: CVE_RISK_CACHE_DIR).
  • --offline disables all network fetches and uses cache-only mode (requires --cache-dir).
  • Lookup/rank/patch/export/refresh responses include a cache block when stale cache entries are served in offline mode (cache.served_stale=true with per-source details).
  • CVE IDs are validated and batch inputs are de-duplicated before upstream calls.
  • CVE parsing tolerates legacy schema variants (alternate CVSS and reference fields).
  • Structured errors include remediation hints (e.g., respect Retry-After on 429s).
  • --epss-weight (or env CVE_RISK_EPSS_WEIGHT) calibrates how strongly EPSS influences the risk score (default: 1.0).
  • --kev-floor (env CVE_RISK_KEV_FLOOR) and --kev-boost (env CVE_RISK_KEV_BOOST) calibrate the KEV scoring behavior.
  • --age-recent-days / --age-recent-boost (env CVE_RISK_AGE_RECENT_DAYS / CVE_RISK_AGE_RECENT_BOOST) calibrate the "new CVE" boost.
  • --age-old-days / --age-old-penalty (env CVE_RISK_AGE_OLD_DAYS / CVE_RISK_AGE_OLD_PENALTY) calibrate the "old CVE" penalty.
  • cve_status includes cache metadata plus request/latency counters, stale-cache counters, and rolling-window latency percentiles (request_count, success_count, error_count, stale_served_count, avg_latency_ms, last_latency_ms, p50_latency_ms, p95_latency_ms, latency_sample_count, latency_window_size) per source.
  • stdio MCP mode emits structured JSON logs to stderr (configurable via --mcp-log-level).

Operations

See docs/OPERATIONS.md for a small operator runbook (interpreting cve_status, common remediation).

Run (stdio MCP server)

python -m cve_risk_mcp --stdio

Run (JSON CLI mode)

cve-risk-mcp lookup CVE-2023-23397 --pretty
cve-risk-mcp rank CVE-2023-23397 CVE-2021-44228 --pretty
cve-risk-mcp rank CVE-2023-23397 CVE-2021-44228 --fail-fast --pretty
cve-risk-mcp patch-first CVE-2023-23397 CVE-2021-44228 --top-n 1 --pretty
cve-risk-mcp status --pretty
cve-risk-mcp refresh --no-refresh-kev --pretty
cve-risk-mcp export CVE-2023-23397 CVE-2021-44228 --include-markdown --pretty

Config file (optional)

Use --config to set defaults in a TOML file. See cve-risk-mcp.example.toml for a starting point.

Output to file

cve-risk-mcp lookup CVE-2023-23397 --output out.json --pretty

NDJSON output

Tools 7

cve_lookupPerforms a CVE detail lookup with parsed CVSS metrics and KEV/EPSS enrichment.
cve_rankRanks a list of CVEs by risk score, showing the highest risk first.
cve_patch_firstProvides a ranked list of CVEs with top-N recommendations for patching.
cve_statusReturns upstream status and cache statistics.
cve_configReturns the effective runtime configuration.
cve_refreshWarms or refreshes the local cache for specific CVEs.
cve_exportGenerates a ranked list of CVEs with an optional markdown summary.

Environment Variables

CVE_RISK_CACHE_DIRDirectory path for persistent on-disk cache.
CVE_RISK_EPSS_WEIGHTCalibrates how strongly EPSS influences the risk score.
CVE_RISK_KEV_FLOORCalibrates the KEV scoring floor.
CVE_RISK_KEV_BOOSTCalibrates the KEV scoring boost.

Try it

Look up the details for CVE-2023-23397 and tell me if it is in the CISA KEV list.
Rank these vulnerabilities by risk: CVE-2023-23397 and CVE-2021-44228.
Which of these vulnerabilities should I patch first? CVE-2023-23397, CVE-2021-44228, and CVE-2024-1234.
Export a markdown summary of the risk assessment for CVE-2023-23397.

Frequently Asked Questions

What are the key features of CVE Risk MCP Server?

CVE detail lookups with parsed CVSS v3/v4 metrics.. CISA KEV feed enrichment with mirror fallback.. EPSS-style risk scoring with priority labels.. Batch ranking and patch queue prioritization.. Persistent on-disk caching for CVE/KEV/EPSS data..

What can I use CVE Risk MCP Server for?

Security engineers prioritizing daily patch management queues.. Developers assessing the urgency of vulnerabilities in their dependencies.. Automated generation of security reports for vulnerability remediation.. Offline security auditing using cached vulnerability data..

How do I install CVE Risk MCP Server?

Install CVE Risk MCP Server by running: python -m cve_risk_mcp --stdio

What MCP clients work with CVE Risk MCP Server?

CVE Risk MCP Server works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep CVE Risk MCP Server docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Open Conare

Related MCP Servers

Skylos
Find dead code, secrets, and exploitable flows in Python, TypeScript, and Go.
monitoring344 stars
Linux MCP Server
Read-only Linux system administration and diagnostics on RHEL-based systems.
monitoring189 stars
Charles MCP Server
Integrates Charles Proxy with MCP clients for real-time network traffic analysis
monitoring118 stars
Android Proxy MCP
Capture and analyze HTTP/HTTPS traffic from Android devices with AI.
monitoring118 stars
Langfuse MCP
MCP server for Langfuse observability and LLM application management.
monitoring66 stars
HomeButler
All-in-one homelab management MCP server.
monitoring64 stars