| 제목 | zcaceres markdownify-mcp / mcp-markdownify-server up to 1.1.0 CWE-59: Improper Link Resolution Before File Access ('Link Follo |
|---|
| 설명 | A vulnerability was found in zcaceres markdownify-mcp, also distributed as
mcp-markdownify-server, up to version 1.1.0. The issue affects URL-based
Markdown conversion tools that fetch remote content and write it to a temporary
file before invoking the markitdown converter.
The vulnerable component is the temporary artifact creation logic in
src/Markdownify.ts. The private saveToTempFile() function builds the temporary
file path as:
path.join(os.tmpdir(), `markdown_output_${Date.now()}.${outputExtension}`)
The key includes only the shared temporary directory, the current millisecond
timestamp, and the inferred extension. It does not include a random nonce,
invocation identifier, user identifier, tenant identifier, or other
security-relevant uniqueness. The file is then written with fs.writeFileSync().
If an attacker can pre-create the predicted path as a symbolic link,
fs.writeFileSync() follows the link and writes the fetched content to the
attacker-chosen target.
The affected execution path is Markdownify.toMarkdown() when called with the
url argument. The MCP server routes several URL-based tools to this branch,
including webpage-to-markdown, youtube-to-markdown, and
bing-search-to-markdown.
Authentication required: yes, in the sense that the attacker must be able to
invoke or influence the MCP tool environment, or must have local access to the
same host temporary directory. User interaction required: yes for victim data
theft if a separate victim invocation must be induced; no if the attacker is
targeting their own invocation for file clobbering or denial of service in a
shared same-user environment.
Technical Details
- Affected file/function: src/Markdownify.ts saveToTempFile(), src/Markdownify.ts Markdownify.toMarkdown(), src/server.ts URL tool dispatch
- Vulnerable parameter: url, indirectly through fetched content written to a predictable temporary path
- Temporary path pattern: <os.tmpdir()>/markdown_output_<Date.now()>.<html|pdf>
- Attack vector: Local by default because the server uses stdio transport; may become Network if deployed behind a remote MCP gateway or exposed service
- Privileges required: Low
- Trigger condition: the attacker can create files or symbolic links in the server process temporary directory and can predict or spray the timestamp window used by a URL conversion
Impact
- Confidentiality: High
- Integrity: Low
- Availability: Low
The issue can disclose fetched URL content from another tool invocation in
same-host or same-user deployments. Examples include private documents fetched
from signed URLs, internal pages, or other user-supplied remote resources being
converted by the MCP server. The issue can also overwrite files writable by the
server process through symbolic link following, or cause cross-invocation
temporary artifact collisions and conversion failures. It does not bypass
operating system file permissions and is not a direct remote code execution
vulnerability by itself.
CVSS v3.1
Score: 5.7 (Medium) for the default local stdio deployment
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L
Environmental severity can be higher in shared MCP services, CI/agent runners,
multi-user hosts, same-UID multi-tenant deployments, or services that expose the
MCP tool interface remotely while sharing a writable temporary directory between
untrusted workloads.
Timeline
- Discovered: 2026-06-03
- Vendor notified: 2026-06-03
- Patch released: [unknown]
- Public disclosure: 2026-06-03
Countermeasure
Create temporary artifacts with unpredictable per-invocation paths. For example,
use fs.mkdtemp() to create a private temporary directory and use a random file
name such as crypto.randomUUID(). Prefer exclusive creation flags and avoid
following attacker-created symbolic links. Remove temporary artifacts from their
private directory after conversion. |
|---|
| 원천 | ⚠️ https://github.com/zcaceres/markdownify-mcp/issues/110 |
|---|
| 사용자 | Dem0000000 (UID 98743) |
|---|
| 제출 | 2026. 06. 03. PM 04:33 (1 월 ago) |
|---|
| 모더레이션 | 2026. 07. 04. AM 07:28 (1 month later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 376298 [zcaceres markdownify-mcp 까지 1.1.0 webpage-to-markdown src/Markdownify.ts saveToTempFile 약한 암호화] |
|---|
| 포인트들 | 20 |
|---|