CVE-2025-5276
📋 TL;DR
This SSRF vulnerability in mcp-markdownify-server allows attackers to craft prompts that trick the server into making HTTP requests to attacker-controlled URLs when using webpage-to-markdown, bing-search-to-markdown, or youtube-to-markdown tools. This can lead to sensitive information disclosure from internal systems. All users of mcp-markdownify-server are affected.
💻 Affected Systems
- mcp-markdownify-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete internal network reconnaissance, access to cloud metadata services, retrieval of sensitive internal API data, and potential lateral movement to other systems.
Likely Case
Information disclosure from internal HTTP services, access to cloud instance metadata, and potential credential leakage from internal APIs.
If Mitigated
Limited to external URL access only if proper network segmentation and egress filtering are implemented.
🎯 Exploit Status
Exploitation requires crafting malicious prompts that trigger the vulnerable functions, which is straightforward for attackers familiar with SSRF techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in commit 0284aa8f34d32c65e20d8cda2d429b7943c9af03
Vendor Advisory: https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249387
Restart Required: Yes
Instructions:
1. Update to the latest version of mcp-markdownify-server. 2. Restart the service. 3. Verify the fix by checking that URL validation is now implemented.
🔧 Temporary Workarounds
Network Egress Filtering
allImplement firewall rules to restrict outbound HTTP/HTTPS traffic from the server to only trusted external destinations.
Input Validation Proxy
allDeploy a reverse proxy that validates and sanitizes all URLs before they reach the markdownify-server.
🧯 If You Can't Patch
- Disable or restrict access to the vulnerable tools (webpage-to-markdown, bing-search-to-markdown, youtube-to-markdown)
- Implement strict network segmentation to isolate the server from sensitive internal systems
🔍 How to Verify
Check if Vulnerable:
Check if your version is before commit 0284aa8f34d32c65e20d8cda2d429b7943c9af03 by examining the source code or package version.Check Version:
npm list mcp-markdownify-serverVerify Fix Applied:
Test that the server now validates URLs and rejects requests to internal/private IP addresses and localhost.📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from the server
- Requests to internal IP addresses or localhost
- Multiple failed URL validation attempts
Network Indicators:
- HTTP requests from markdownify-server to unexpected internal endpoints
- Traffic to cloud metadata services (169.254.169.254, etc.)
- Outbound requests following prompt execution
SIEM Query:
source="markdownify-server" AND (dest_ip=PRIVATE_IP_RANGE OR dest_ip=127.0.0.1 OR dest_ip=169.254.169.254)🔗 References
- https://github.com/zcaceres/markdownify-mcp/blob/224cf89f0d58616d2a5522f60f184e8391d1c9e3/src/server.ts%23L20C17-L20C29
- https://github.com/zcaceres/markdownify-mcp/commit/0284aa8f34d32c65e20d8cda2d429b7943c9af03
- https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249387
- https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVER-10249387
