CVE-2025-58358 is a command injection vulnerability identified in the markdownify-mcp server, a Model Context Protocol server designed to convert various inputs into Markdown format. The vulnerability affects all versions prior to 0.0.2. The root cause lies in the improper neutralization of special elements used in shell commands (CWE-77). Specifically, the server uses the Node.js child_process.exec function to execute shell commands constructed from user-supplied input parameters without adequate sanitization or validation. This allows an attacker to inject arbitrary shell metacharacters such as |, >, &&, enabling the execution of arbitrary system commands with the privileges of the server process. Successful exploitation results in remote code execution (RCE), compromising confidentiality, integrity, and availability of the affected system. The vulnerability requires user interaction (e.g., sending crafted input to the server) but does not require authentication, increasing the attack surface. The CVSS v3.1 score is 7.5 (high), reflecting network attack vector, high impact on confidentiality, integrity, and availability, but higher attack complexity and required user interaction. No known exploits are currently reported in the wild. The issue is resolved in version 0.0.2 by properly sanitizing input before command execution.

For European organizations, this vulnerability poses a significant risk, especially for those using markdownify-mcp in their infrastructure or development pipelines. Exploitation could lead to unauthorized remote code execution, allowing attackers to execute arbitrary commands, potentially leading to data breaches, system compromise, lateral movement within networks, and disruption of services. Given the high impact on confidentiality, integrity, and availability, sensitive data could be exposed or altered, and critical services could be interrupted. Organizations relying on markdownify-mcp for automated document processing or content conversion may face operational disruptions. The lack of authentication requirement means attackers can exploit the vulnerability remotely without credentials, increasing the likelihood of attacks if the vulnerable version is exposed to the internet or accessible networks. Although no exploits are currently known in the wild, the simplicity of injection via unsanitized input makes this a high-risk vulnerability that should be addressed promptly to prevent potential exploitation.

1. Immediate upgrade: Organizations should upgrade markdownify-mcp to version 0.0.2 or later, where the vulnerability is fixed. 2. Input validation: Implement strict input validation and sanitization on all user-supplied parameters before they are used in any shell commands. Avoid passing unsanitized input to child_process.exec or similar functions. 3. Use safer APIs: Replace child_process.exec with safer alternatives such as child_process.execFile or spawn with argument arrays that do not invoke a shell, reducing injection risk. 4. Network segmentation: Restrict access to markdownify-mcp servers to trusted internal networks or VPNs to reduce exposure. 5. Monitoring and logging: Enable detailed logging of commands executed and monitor for suspicious activity or unexpected command execution patterns. 6. Application firewall: Deploy Web Application Firewalls (WAFs) or Intrusion Prevention Systems (IPS) with rules to detect and block command injection attempts targeting markdownify-mcp endpoints. 7. Security awareness: Educate developers and administrators about secure coding practices related to command execution and input handling to prevent similar vulnerabilities.