CVE-2025-5273
📋 TL;DR
The mcp-markdownify-server package is vulnerable to arbitrary file read attacks through its get-markdown-file tool. Attackers can craft malicious prompts that, when processed by the MCP host, allow reading any file from the server's filesystem. All users of this package are affected.
💻 Affected Systems
- mcp-markdownify-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of sensitive data including configuration files, credentials, private keys, and user data stored on the server.
Likely Case
Exfiltration of sensitive configuration files, environment variables, or application secrets leading to further system compromise.
If Mitigated
Limited impact if server runs with minimal privileges and filesystem access is properly restricted.
🎯 Exploit Status
Exploitation requires crafting a malicious prompt but is straightforward once the technique is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 3a6b202d088ef7acb8be84bc09515f41a2b1a9df
Vendor Advisory: https://github.com/zcaceres/markdownify-mcp/commit/3a6b202d088ef7acb8be84bc09515f41a2b1a9df
Restart Required: Yes
Instructions:
1. Update to the latest version of mcp-markdownify-server. 2. Restart the MCP server. 3. Verify the fix by checking that arbitrary file reads are no longer possible.
🔧 Temporary Workarounds
Disable get-markdown-file tool
allRemove or disable the vulnerable tool from the MCP server configuration.
Modify MCP server configuration to exclude the get-markdown-file tool
Filesystem restrictions
linuxRun the MCP server with minimal filesystem permissions using containerization or sandboxing.
docker run --read-only -v /safe/path:/data your-mcp-image
chroot /safe/path mcp-server
🧯 If You Can't Patch
- Isolate the MCP server in a network segment with no access to sensitive systems
- Implement strict input validation and sanitization for all MCP prompts
🔍 How to Verify
Check if Vulnerable:
Test if the get-markdown-file tool can read files outside the intended directory by attempting to read /etc/passwd or similar sensitive files.Check Version:
npm list mcp-markdownify-serverVerify Fix Applied:
After patching, attempt the same file read tests and verify they fail with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via MCP logs
- Multiple failed file read attempts
- Access to sensitive file paths
Network Indicators:
- Unusual MCP protocol traffic patterns
- Large data exfiltration from MCP server
SIEM Query:
source="mcp-server" AND (file_path CONTAINS "/etc/" OR file_path CONTAINS "/root/" OR file_path CONTAINS "/home/")🔗 References
- https://github.com/zcaceres/markdownify-mcp/blob/3667bd4765c0e49684ce22df268d02dd478a7f3b/src/Markdownify.ts%23L94
- https://github.com/zcaceres/markdownify-mcp/commit/3a6b202d088ef7acb8be84bc09515f41a2b1a9df
- https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249193
- https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249193
