dazeb markdown-downloader index.ts create_subdirectory path traversal

Vulnerability

A path traversal flaw exists in dazeb/markdown-downloader up to commit 3d4394b34b6c99d81af817623af55e3384df5a6a. The vulnerability affects the functions download_markdown, list_downloaded_files, and create_subdirectory in src/index.ts. These MCP tools accept a user-controlled subdirectory or subdirectoryName parameters and directly concatenate them into filesystem paths using path.join() without validating that the result stays within the allowed download directory. The product does not use versioning, so no version numbers are available [1][2].

Exploitation

An attacker can launch the attack remotely by sending crafted MCP tool calls to the server. For example, calling download_markdown with a subdirectory of ../../tmp/poc causes the server to construct a path outside the download directory and write a file there. Similarly, list_downloaded_files and create_subdirectory can be exploited with ../ sequences to list or create directories anywhere the server process has permissions. No authentication is required if the MCP server is exposed [2].

Impact

Successful exploitation allows an attacker to write arbitrary files (e.g., overwrite configuration files), read directory contents, and create directories outside the intended config.downloadDirectory. The privilege level is that of the server process. The CIA outcome includes unauthorized file write, information disclosure via file listing, and potential denial of service or code execution depending on the written file type [2].

Mitigation

The project maintainer was informed via an issue report but has not responded as of the publication date (2026-05-25). No official fix has been released. Users should restrict network access to the MCP server, avoid exposing it to untrusted networks, and monitor for future updates. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at this time [1][2].