Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2025-5273

CVE-2025-5273:
Markdownify MCP Server allows attackers to read arbitrary files

6.5

CVSS Score

Basic Information

CVE ID
CVE-2025-5273
GHSA ID
GHSA-22v8-p7h2-rj7p
EPSS Score
-
CWE
CWE-552
Published
5/29/2025
Updated
5/29/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
mcp-markdownify-servernpm<= 0.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability allows attackers to read arbitrary files on the server running mcp-markdownify-server. This is due to insufficient input validation in the getMarkdownFile function within the Markdownify class, located in src/Markdownify.ts.

The provided commit 3a6b202d088ef7acb8be84bc09515f41a2b1a9df introduces mitigations for this vulnerability. By examining the changes in this commit, we can identify the vulnerable function and understand how it was exploited.

Specifically, the getMarkdownFile function was modified to:

  1. Normalize the input filePath using path.normalize() and path.resolve(), and expand tilde (~) to the user's home directory. This helps prevent some forms of path traversal by canonicalizing the path.
  2. Check if the file extension is one of the allowed Markdown extensions (.md, .markdown). This restricts access to only Markdown files.
  3. Optionally, if the MD_SHARE_DIR environment variable is set, it ensures that the requested file path is within this allowed directory. This provides a stronger boundary for file access.

Before these changes, the getMarkdownFile function would take the filePath parameter and use it with fs.existsSync() and subsequently (implicitly, though not shown in this specific diff snippet, but inferred from the function's purpose) fs.readFile or a similar file reading operation. Without the added checks, an attacker could craft a filePath like ../../../../etc/shadow or any other sensitive file on the system, and the server would attempt to read it. The vulnerability description confirms this by stating, "An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server."

Therefore, the Markdownify.getMarkdownFile function is the direct point of vulnerability. During exploitation, a runtime profile or stack trace would show this function being called with a malicious file path.

Vulnerable functions

Markdownify.getMarkdownFile
src/Markdownify.ts
The function `getMarkdownFile` in `src/Markdownify.ts` was vulnerable because it directly used the user-provided `filePath` to read files without validating the file type or restricting the directory. An attacker could provide a path to any file on the system (e.g., `../../../../etc/passwd`), and the server would attempt to read and return its content if it existed. The patch mitigates this by normalizing the path, checking for allowed Markdown extensions, and optionally restricting access to a predefined shared directory.

WAF Protection Rules

WAF Rule

*ll v*rsions o* t** p**k*** m*p-m*rk*owni*y-s*rv*r *r* vuln*r**l* to *il*s or *ir**tori*s ****ssi*l* to *xt*rn*l P*rti*s vi* t** **t-m*rk*own-*il* tool. *n *tt**k*r **n *r**t * prompt t**t, on** ****ss** *y t** M*P *ost, will *llow it to r*** *r*itr*

Reasoning

T** vuln*r**ility *llows *tt**k*rs to r*** *r*itr*ry *il*s on t** s*rv*r runnin* `m*p-m*rk*owni*y-s*rv*r`. T*is is *u* to insu**i*i*nt input v*li**tion in t** `**tM*rk*own*il*` *un*tion wit*in t** `M*rk*owni*y` *l*ss, lo**t** in `sr*/M*rk*owni*y.ts`.