CVE-2025-5276 is a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting all versions of the mcp-markdownify-server package. The vulnerability resides in the Markdownify.get() function, which is designed to convert various web content formats (such as webpages, Bing search results, and YouTube content) into markdown format. An attacker can exploit this flaw by crafting a malicious prompt that, when processed by the MCP host, triggers the invocation of these tools to issue HTTP requests to attacker-controlled URLs. This allows the attacker to read the responses from these URLs, effectively enabling them to make the server perform arbitrary HTTP requests and potentially access internal or sensitive resources that are not directly accessible from the outside. The vulnerability is notable for requiring no privileges or authentication (AV:N/PR:N), but it does require user interaction (UI:A), meaning the attacker must trick a user or system component into processing the malicious prompt. The CVSS 4.0 score of 8.2 reflects the high impact on confidentiality due to potential data leakage, with a high scope and complexity. The vulnerability does not appear to have known exploits in the wild yet, and no patches have been published at the time of disclosure. The CWE classification CWE-918 confirms this as an SSRF issue. This vulnerability can be leveraged to bypass network access controls, access internal services, or exfiltrate sensitive information from the server environment by abusing the markdown conversion tools' ability to fetch external content.

For European organizations, the impact of this SSRF vulnerability can be significant, especially for those using the mcp-markdownify-server package in their infrastructure or applications. The ability to perform SSRF attacks can lead to unauthorized access to internal systems, including databases, internal APIs, or cloud metadata services, potentially resulting in data breaches or lateral movement within the network. Confidential information could be exposed, including sensitive business data or personal data protected under GDPR. Additionally, attackers might use this vulnerability to pivot attacks or conduct reconnaissance on internal network topology. Given the high CVSS score and the lack of required privileges, the vulnerability poses a substantial risk to organizations that integrate this package into their web services, content management systems, or automation pipelines. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit, increasing the attack surface. The absence of patches means organizations must rely on mitigation until an official fix is released, increasing exposure time.

European organizations should immediately audit their use of the mcp-markdownify-server package and identify any systems where it is deployed. Until patches are available, organizations should implement strict input validation and sanitization on any user-supplied data that could be processed by Markdownify.get(), effectively blocking malicious prompts that attempt to invoke external requests. Network-level controls should be enforced to restrict outbound HTTP requests from servers running this package, limiting them to only trusted destinations. Employing web application firewalls (WAFs) with custom rules to detect and block SSRF patterns targeting markdown conversion endpoints can provide additional protection. Monitoring and logging outbound requests from these servers can help detect suspicious activity early. Organizations should also educate users and administrators about the risk of processing untrusted markdown prompts to reduce the likelihood of successful social engineering. Finally, organizations should track vendor updates closely and apply patches as soon as they become available.