Markdownify Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in the Markdownify Model Context Protocol (MCP) server, specifically in versions prior to 0.0.2. The issue arises from the unsanitized use of input parameters in a call to child_process.exec, which enables attackers to inject arbitrary system commands. Exploitation of this vulnerability can lead to remote code execution under the privileges of the server process. The vulnerability is present because the server directly incorporates unvalidated user input into command-line strings, allowing for the injection of shell metacharacters. This vulnerability has been addressed in version 0.0.2.

Impact

Exploitation of this vulnerability allows for command injection, leading to remote code execution on the server where Markdownify is running.

Reproduction

The vulnerability can be reproduced by sending a request to the MCP server that includes unvalidated file paths or commands. This can be done directly through the MCP Inspector or by injecting commands into a Markdown file that the server processes. The injected commands can then be executed by the server, exploiting the command injection vulnerability.

Remediation

Users are advised to update to Markdownify version 0.0.2 or later, where this vulnerability has been fixed. For those maintaining their own versions, it is recommended to avoid using child_process.exec with untrusted input and to use child_process.execFile instead, which allows for safer execution of commands by passing arguments as an array, preventing shell interpretation. Additionally, consider using the untildify package to convert tilde paths to absolute paths before executing commands.