CVE-2025-5273: Markdownify MCP Server allows attackers to read arbitrary files

The vulnerability allows attackers to read arbitrary files on the server running mcp-markdownify-server. This is due to insufficient input validation in the getMarkdownFile function within the Markdownify class, located in src/Markdownify.ts.

The provided commit 3a6b202d088ef7acb8be84bc09515f41a2b1a9df introduces mitigations for this vulnerability. By examining the changes in this commit, we can identify the vulnerable function and understand how it was exploited.

Specifically, the getMarkdownFile function was modified to:

1. Normalize the input filePath using path.normalize() and path.resolve(), and expand tilde (~) to the user's home directory. This helps prevent some forms of path traversal by canonicalizing the path.
2. Check if the file extension is one of the allowed Markdown extensions (.md, .markdown). This restricts access to only Markdown files.
3. Optionally, if the MD_SHARE_DIR environment variable is set, it ensures that the requested file path is within this allowed directory. This provides a stronger boundary for file access.

Before these changes, the getMarkdownFile function would take the filePath parameter and use it with fs.existsSync() and subsequently (implicitly, though not shown in this specific diff snippet, but inferred from the function's purpose) fs.readFile or a similar file reading operation. Without the added checks, an attacker could craft a filePath like ../../../../etc/shadow or any other sensitive file on the system, and the server would attempt to read it. The vulnerability description confirms this by stating, "An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server."

Therefore, the Markdownify.getMarkdownFile function is the direct point of vulnerability. During exploitation, a runtime profile or stack trace would show this function being called with a malicious file path.