إرسال #846942: zcaceres markdownify-mcp / mcp-markdownify-server up to 1.1.0 CWE-59: Improper Link Resolution Before File Access ('Link Folloالمعلومات

عنوانzcaceres markdownify-mcp / mcp-markdownify-server up to 1.1.0 CWE-59: Improper Link Resolution Before File Access ('Link Follo
الوصفA vulnerability was found in zcaceres markdownify-mcp, also distributed as mcp-markdownify-server, up to version 1.1.0. The issue affects URL-based Markdown conversion tools that fetch remote content and write it to a temporary file before invoking the markitdown converter. The vulnerable component is the temporary artifact creation logic in src/Markdownify.ts. The private saveToTempFile() function builds the temporary file path as: path.join(os.tmpdir(), `markdown_output_${Date.now()}.${outputExtension}`) The key includes only the shared temporary directory, the current millisecond timestamp, and the inferred extension. It does not include a random nonce, invocation identifier, user identifier, tenant identifier, or other security-relevant uniqueness. The file is then written with fs.writeFileSync(). If an attacker can pre-create the predicted path as a symbolic link, fs.writeFileSync() follows the link and writes the fetched content to the attacker-chosen target. The affected execution path is Markdownify.toMarkdown() when called with the url argument. The MCP server routes several URL-based tools to this branch, including webpage-to-markdown, youtube-to-markdown, and bing-search-to-markdown. Authentication required: yes, in the sense that the attacker must be able to invoke or influence the MCP tool environment, or must have local access to the same host temporary directory. User interaction required: yes for victim data theft if a separate victim invocation must be induced; no if the attacker is targeting their own invocation for file clobbering or denial of service in a shared same-user environment. Technical Details - Affected file/function: src/Markdownify.ts saveToTempFile(), src/Markdownify.ts Markdownify.toMarkdown(), src/server.ts URL tool dispatch - Vulnerable parameter: url, indirectly through fetched content written to a predictable temporary path - Temporary path pattern: <os.tmpdir()>/markdown_output_<Date.now()>.<html|pdf> - Attack vector: Local by default because the server uses stdio transport; may become Network if deployed behind a remote MCP gateway or exposed service - Privileges required: Low - Trigger condition: the attacker can create files or symbolic links in the server process temporary directory and can predict or spray the timestamp window used by a URL conversion Impact - Confidentiality: High - Integrity: Low - Availability: Low The issue can disclose fetched URL content from another tool invocation in same-host or same-user deployments. Examples include private documents fetched from signed URLs, internal pages, or other user-supplied remote resources being converted by the MCP server. The issue can also overwrite files writable by the server process through symbolic link following, or cause cross-invocation temporary artifact collisions and conversion failures. It does not bypass operating system file permissions and is not a direct remote code execution vulnerability by itself. CVSS v3.1 Score: 5.7 (Medium) for the default local stdio deployment Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L Environmental severity can be higher in shared MCP services, CI/agent runners, multi-user hosts, same-UID multi-tenant deployments, or services that expose the MCP tool interface remotely while sharing a writable temporary directory between untrusted workloads. Timeline - Discovered: 2026-06-03 - Vendor notified: 2026-06-03 - Patch released: [unknown] - Public disclosure: 2026-06-03 Countermeasure Create temporary artifacts with unpredictable per-invocation paths. For example, use fs.mkdtemp() to create a private temporary directory and use a random file name such as crypto.randomUUID(). Prefer exclusive creation flags and avoid following attacker-created symbolic links. Remove temporary artifacts from their private directory after conversion.
المصدر⚠️ https://github.com/zcaceres/markdownify-mcp/issues/110
المستخدم
 Dem0000000 (UID 98743)
ارسال03/06/2026 04:33 PM (1 شهر منذ)
الاعتدال04/07/2026 07:28 AM (1 month later)
الحالةتمت الموافقة
إدخال VulDB376298 [zcaceres markdownify-mcp حتى 1.1.0 webpage-to-markdown src/Markdownify.ts saveToTempFile تشفير ضعيف]
النقاط20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!