Files or Directories Accessibility Vulnerability in MCP Markdownify Server
CVE-2025-5273

8.2HIGH

Key Information:

Vendor: MCP
Status: Mcp-markdownify-server
Vendor: CVE Published:; 29 May 2025

What is CVE-2025-5273?

The mcp-markdownify-server package is affected by a vulnerability that enables unauthorized access to files or directories through its get-markdown-file tool. An attacker can exploit this flaw by crafting a specific prompt that, when processed by the server, allows them to read arbitrary files residing on the host machine. This compromise can lead to data exposure, making it critical for users and administrators to secure their setups against such threats.

Affected Version(s)

mcp-markdownify-server 0

References

https://security.snyk.io/vuln/SNYK-JS-MCPMARKDOWNIFYSERVE...

https://github.com/zcaceres/markdownify-mcp/commit/3a6b20...

https://github.com/zcaceres/markdownify-mcp/blob/3667bd47...

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2025
Vulnerability Reserved
May 27, 2025

Credit

Raul Onitza-Klugman (Snyk Security Research)