This project provides a deliberately vulnerable implementation of the Model Context Protocol (MCP) for educational purposes, targeting security researchers, developers, and AI safety professionals. It offers 10 challenges of increasing difficulty to demonstrate and learn about security vulnerabilities in LLM context management, enabling users to understand and mitigate potential risks.

How It Works

The Damn Vulnerable Model Context Protocol (DVMCP) server is built to showcase various MCP vulnerabilities. It implements a structured approach to context provision for LLMs, separating context management from LLM interaction. The project features distinct challenge modules, each designed to exploit specific security flaws like prompt injection, tool poisoning, excessive permissions, and malicious code execution, allowing for hands-on learning.

Quick Start & Requirements

• Primary install / run command: docker build -t dvmcp . followed by docker run -p 9001-9010:9001-9010 dvmcp.
• Prerequisites: Docker is recommended. The project notes instability on Windows and recommends a Linux environment if not using Docker.
• Links: CLINE - VSCode Extension, Setup Guide, Challenges Guide, Solutions Guide.

Highlighted Details

• 10 challenges covering prompt injection, tool poisoning, excessive permissions, rug pull attacks, tool shadowing, indirect prompt injection, token theft, malicious code execution, remote access control, and multi-vector attacks.
• Challenges are categorized into Easy, Medium, and Hard difficulty levels.
• Includes solution guides for educational purposes.
• Developed using Cursor IDE and Manus AI.

Maintenance & Community

• Created by Harish Santhanalakshmi Ganesan.
• No specific community links (Discord/Slack) or roadmap details are provided in the README.

Licensing & Compatibility

• Licensed under the MIT License.
• Permissive license suitable for commercial use and closed-source linking.

Limitations & Caveats

The project explicitly states it is for educational purposes only and vulnerabilities demonstrated should not be implemented in production systems. It also notes potential instability in Windows environments.