CVE Catalog

CVE-2025-5273

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile - higher than 25% of all known CVEs

Summary

A vulnerability in the mcp-markdownify-server package before version 1.0.0 allows unauthorized access to files and directories on the server via the get-markdown-file tool. An attacker can craft a malicious prompt that, when processed by the MCP host, enables reading arbitrary files from the system.

Risk Assessment

The risk involves potential leakage of sensitive data such as configuration files, credentials, or other confidential information stored on the server, which could lead to security breaches for the organization.

Recommendation

Immediately update the mcp-markdownify-server package to version 1.0.0 or later, which fixes this vulnerability. Additionally, restrict access to the get-markdown-file tool to trusted MCP hosts only.

Original NVD description (English source)

Versions of the package mcp-markdownify-server before 1.0.0 are vulnerable to Files or Directories Accessible to External Parties via the get-markdown-file tool. An attacker can craft a prompt that, once accessed by the MCP host, will allow it to read arbitrary files from the host running the server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS