VYPR
← All advisories
High severity7.4NVD Advisory· Published May 29, 2025· Updated Apr 29, 2026

CVE-2025-5276

CVE-2025-5276

Description

All versions of the package mcp-markdownify-server are vulnerable to Server-Side Request Forgery (SSRF) via the Markdownify.get() function. An attacker can craft a prompt that, once accessed by the MCP host, can invoke the webpage-to-markdown, bing-search-to-markdown, and youtube-to-markdown tools to issue requests and read the responses to attacker-controlled URLs, potentially leaking sensitive information.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mcp-markdownify-servernpm
<= 0.0.1

Patches

1
0284aa8f34d3

Merge pull request #17 from supriza/add-url-validation

https://github.com/zcaceres/markdownify-mcpZach CaceresMay 7, 2025via ghsa
commit
3 files changed · +61 1
  • package.json+4 1 modified
    @@ -24,14 +24,17 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "1.0.1",
+    "private-ip": "^3.0.2",
     "zod": "^3.24.1"
   },
   "devDependencies": {
     "@types/node": "^22.9.3",
+    "@types/private-ip": "^1.0.3",
     "bun": "^1.1.41",
     "sdk": "link:@types/modelcontextprotocol/sdk",
     "shx": "^0.3.4",
     "ts-jest": "^29.2.5",
     "typescript": "^5.6.2"
-  }
+  },
+  "packageManager": "pnpm@10.10.0+sha512.d615db246fe70f25dcfea6d8d73dee782ce23e2245e3c4f6f888249fb568149318637dca73c2c5c8ef2a4ca0d5657fb9567188bfab47f566d1ee6ce987815c39"
 }
  • pnpm-lock.yaml+45 0 modified
    @@ -11,13 +11,19 @@ importers:
       '@modelcontextprotocol/sdk':
         specifier: 1.0.1
         version: 1.0.1
+      private-ip:
+        specifier: ^3.0.2
+        version: 3.0.2
       zod:
         specifier: ^3.24.1
         version: 3.24.1
     devDependencies:
       '@types/node':
         specifier: ^22.9.3
         version: 22.10.2
+      '@types/private-ip':
+        specifier: ^1.0.3
+        version: 1.0.3
       bun:
         specifier: ^1.1.41
         version: 1.1.42
@@ -201,6 +207,9 @@ packages:
   '@bcoe/v8-coverage@0.2.3':
     resolution: {integrity: sha512-0hYQ8SB4Db5zvZB4axdMHGwEaQjkZzFjQiN9LVYvIFB2nSUHW9tYpxWriPrWDASIxiaXax83REcLxuSdnGPZtw==}
 
+  '@chainsafe/is-ip@2.1.0':
+    resolution: {integrity: sha512-KIjt+6IfysQ4GCv66xihEitBjvhU/bixbbbFxdJ1sqCp4uJ0wuZiYBPhksZoy4lfaF0k9cwNzY5upEW/VWdw3w==}
+
   '@istanbuljs/load-nyc-config@1.1.0':
     resolution: {integrity: sha512-VjeHSlIzpv/NyD3N0YuHfXOPDIixcA1q2ZV98wsMqcYlPmv2n3Yb2lYP9XMElnaFVXg5A7YLTeLu6V84uQDjmQ==}
     engines: {node: '>=8'}
@@ -387,6 +396,9 @@ packages:
   '@types/node@22.10.2':
     resolution: {integrity: sha512-Xxr6BBRCAOQixvonOye19wnzyDiUtTeqldOOmj3CkeblonbccA12PFwlufvRdrpjXxqnmUaeiU5EOA+7s5diUQ==}
 
+  '@types/private-ip@1.0.3':
+    resolution: {integrity: sha512-x8faDDSDjnQEtXQCSPLpBa0y/Tqd2ccEP6l1TG9YI72/1sW/pfzWj5bVEFLuf3149kQYN70NLH1/vEWOhVjZ9g==}
+
   '@types/stack-utils@2.0.3':
     resolution: {integrity: sha512-9aEbYZ3TbYMznPdcdr3SmIrLXwC/AKZXQeCf9Pgao5CKb8CyHuEX5jzWPTkvregvhRJHcpRO6BFoGW9ycaOkYw==}
 
@@ -725,6 +737,14 @@ packages:
     resolution: {integrity: sha512-agE4QfB2Lkp9uICn7BAqoscw4SZP9kTE2hxiFI3jBPmXJfdqiahTbUuKGsMoN2GtqL9AxhYioAcVvgsb1HvRbA==}
     engines: {node: '>= 0.10'}
 
+  ip-regex@5.0.0:
+    resolution: {integrity: sha512-fOCG6lhoKKakwv+C6KdsOnGvgXnmgfmp0myi3bcNwj3qfwPAxRKWEuFhvEFF7ceYIz6+1jRZ+yguLFAmUNPEfw==}
+    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
+
+  ipaddr.js@2.2.0:
+    resolution: {integrity: sha512-Ag3wB2o37wslZS19hZqorUnrnzSkpOVy+IiiDEiTqNubEYpYuHWIf6K4psgN2ZWKExS4xhVCrRVfb/wfW8fWJA==}
+    engines: {node: '>= 10'}
+
   is-arrayish@0.2.1:
     resolution: {integrity: sha512-zz06S8t0ozoDXMG+ube26zeCTNXcKIPJZJi8hBrF4idCLms4CG9QtK7qBl1boi5ODzFpjswb5JPmHCbMpjaYzg==}
 
@@ -987,6 +1007,10 @@ packages:
   natural-compare@1.4.0:
     resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
 
+  netmask@2.0.2:
+    resolution: {integrity: sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg==}
+    engines: {node: '>= 0.4.0'}
+
   node-int64@0.4.0:
     resolution: {integrity: sha512-O5lz91xSOeoXP6DulyHfllpq+Eg00MWitZIbtPfoSEvqIHdl5gfcY6hYzDWnj0qD5tz52PI08u9qUvSVeUBeHw==}
 
@@ -1062,6 +1086,10 @@ packages:
     resolution: {integrity: sha512-Pdlw/oPxN+aXdmM9R00JVC9WVFoCLTKJvDVLgmJ+qAffBMxsV85l/Lu7sNx4zSzPyoL2euImuEwHhOXdEgNFZQ==}
     engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
 
+  private-ip@3.0.2:
+    resolution: {integrity: sha512-2pkOVPGYD/4QyAg95c6E/4bLYXPthT5Xw4ocXYzIIsMBhskOMn6IwkWXmg6ZiA6K58+O6VD/n02r1hDhk7vDPw==}
+    engines: {node: '>=14.16'}
+
   prompts@2.4.2:
     resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==}
     engines: {node: '>= 6'}
@@ -1501,6 +1529,8 @@ snapshots:
 
   '@bcoe/v8-coverage@0.2.3': {}
 
+  '@chainsafe/is-ip@2.1.0': {}
+
   '@istanbuljs/load-nyc-config@1.1.0':
     dependencies:
       camelcase: 5.3.1
@@ -1778,6 +1808,8 @@ snapshots:
     dependencies:
       undici-types: 6.20.0
 
+  '@types/private-ip@1.0.3': {}
+
   '@types/stack-utils@2.0.3': {}
 
   '@types/yargs-parser@21.0.3': {}
@@ -2115,6 +2147,10 @@ snapshots:
 
   interpret@1.4.0: {}
 
+  ip-regex@5.0.0: {}
+
+  ipaddr.js@2.2.0: {}
+
   is-arrayish@0.2.1: {}
 
   is-core-module@2.16.0:
@@ -2549,6 +2585,8 @@ snapshots:
 
   natural-compare@1.4.0: {}
 
+  netmask@2.0.2: {}
+
   node-int64@0.4.0: {}
 
   node-releases@2.0.19: {}
@@ -2612,6 +2650,13 @@ snapshots:
       ansi-styles: 5.2.0
       react-is: 18.3.1
 
+  private-ip@3.0.2:
+    dependencies:
+      '@chainsafe/is-ip': 2.1.0
+      ip-regex: 5.0.0
+      ipaddr.js: 2.2.0
+      netmask: 2.0.2
+
   prompts@2.4.2:
     dependencies:
       kleur: 3.0.3
  • src/server.ts+12 0 modified
    @@ -7,6 +7,8 @@ import {
 import { Markdownify } from "./Markdownify.js";
 import * as tools from "./tools.js";
 import { CallToolRequest } from "@modelcontextprotocol/sdk/types.js";
+import is_ip_private from "private-ip";
+import { URL } from "node:url";
 
 const RequestPayloadSchema = z.object({
   filepath: z.string().optional(),
@@ -49,7 +51,17 @@ export function createServer() {
           case tools.WebpageToMarkdownTool.name:
             if (!validatedArgs.url) {
               throw new Error("URL is required for this tool");
+            }     
+            
+            const parsedUrl = new URL(validatedArgs.url);
+            if (!["http:", "https:"].includes(parsedUrl.protocol)) {
+              throw new Error("Only http: and https: schemes are allowed.");
             }
+            
+            if (is_ip_private(parsedUrl.hostname)) {
+              throw new Error(`Fetching ${validatedArgs.url} is potentially dangerous, aborting.`);
+            }
+    
             result = await Markdownify.toMarkdown({
               url: validatedArgs.url,
               projectRoot: validatedArgs.projectRoot,

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.