mcp-markdownify-server Server-Side Request Forgery Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability exists in all versions of the mcp-markdownify-server package. The issue arises in the Markdownify.get() function, where an attacker can create a prompt that, when processed by the MCP host, triggers the webpage-to-markdown, bing-search-to-markdown, and youtube-to-markdown tools. This can result in requests being sent to URLs controlled by the attacker, potentially leaking sensitive information from the responses.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information by allowing attackers to read responses from requests made to their controlled URLs.

Reproduction

To reproduce this vulnerability, send a crafted prompt to the Markdownify.get() function that includes URLs controlled by the attacker. Once the prompt is processed by the MCP host, the webpage-to-markdown, bing-search-to-markdown, and youtube-to-markdown tools will be invoked, sending requests to the attacker-controlled URLs and returning the responses, which may contain sensitive information.

Remediation

Users can update to the latest version of the mcp-markdownify-server package, which includes a URL validation feature that helps mitigate this vulnerability.