nist-nvd

The NIST NVD MCP Server provides a set of tools to search, retrieve, and analyze vulnerability data from the NVD API. It exposes a collection of MCP endpoints such as search_cves, get_cve, search_cves_by_cpe, search_cves_by_cvss, search_recent_cves, search_modified_cves, get_cve_change_history, and search_high_priority_cves. These tools enable AI agents and clients to filter CVEs by keywords, CVSS scores, CWE IDs, CPEs, publication dates, modification dates, and various risk indicators. The server is designed to deliver structured, enriched JSON responses suitable for automated processing and decision support, including CVSS details, relevant references, KEV/US-CERT data, and change history where applicable.

To use the server, integrate it into your MCP client configuration. A typical integration binds the Node.js server process and points your MCP client to the built index.js entry. You can leverage the available tools to perform threat intelligence, asset vulnerability assessments, or research workflows. Example usage includes performing high-priority CVE lookups, querying CVEs by CPE to assess product risk, or pulling recent CVEs for a specific time window for monitoring and alerting.

Prerequisites:

• Node.js (recommended LTS) and npm installed on your system
• Access to the repository or npm package as described below

Installation steps:

1. Install via npm

npm install @cyreslab/nist-nvd-mcp-server

2. Build (if you cloned the repo and need to compile):

git clone https://github.com/cyreslab/nist-nvd-mcp-server.git
cd nist-nvd-mcp-server
npm install
npm run build

3. Run the server (basic):

npm start

4. (Optional) Run in development mode:

npm run dev

5. If you are wiring this into an MCP client, use the following integration as a reference (see Quick Start):

{
  "servers": {
    "nist-nvd": {
      "command": "node",
      "args": ["/path/to/nist-nvd-mcp-server/build/index.js"]
    }
  }
}

Notes and tips:

• The server supports caching with a 5-minute TTL to improve responsiveness under repeated queries.
• Ensure you respect NVD API rate limits and implement retry/backoff in client logic if needed.
• The data validator enforces a 120-day maximum for date ranges where applicable (per NIST API compliance).
• When using search_cves_by_cpe or search_cves_by_cvss, consider combining filters for precise results and reducing unnecessary responses.
• If you run into environment issues, confirm Node.js path and ensure the built index.js file exists at the specified path in your MCP config.