CVE-2025-59155 is a Server-Side Request Forgery (SSRF) vulnerability affecting versions 1.4.0 up to but not including 1.5.0 of the hackmd-mcp software, a Model Context Protocol server designed to integrate HackMD's note-taking platform with AI assistants. The vulnerability arises when the server operates in HTTP transport mode and accepts arbitrary hackmdApiUrl values supplied via the Hackmd-Api-Url HTTP header or a base64-encoded JSON query parameter without proper validation. This lack of validation enables an attacker to manipulate outbound API requests, redirecting them to internal network services or endpoints that are otherwise inaccessible externally. Consequently, attackers can perform internal network reconnaissance, access sensitive internal services, and bypass network access controls. The stdio transport mode is unaffected because it restricts requests to stdio only, preventing such redirection. The issue is resolved in version 1.5.0 by enforcing allowed endpoints and introducing the ALLOWED_HACKMD_API_URLS environment variable to restrict permissible URLs. Mitigations include upgrading to version 1.5.0 or later, switching to stdio mode, restricting outbound network access, or filtering the Hackmd-Api-Url header and related query parameters at a reverse proxy level. The CVSS 4.0 score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality and integrity, with no impact on availability. No known exploits are reported in the wild as of the publication date.

For European organizations using hackmd-mcp versions between 1.4.0 and 1.5.0 in HTTP transport mode, this SSRF vulnerability poses a significant risk to internal network security. Attackers exploiting this flaw can pivot from the exposed server to internal services, potentially accessing sensitive data, internal APIs, or administrative interfaces not intended for external exposure. This can lead to unauthorized information disclosure, internal network mapping, and potentially facilitate further attacks such as lateral movement or privilege escalation within the network. Given that hackmd-mcp integrates with AI assistants and note-taking platforms, confidential organizational information could be at risk if internal endpoints are accessed. The ability to bypass network access controls undermines perimeter defenses, increasing the attack surface. Although the vulnerability does not directly affect availability, the compromise of internal services or data confidentiality can have serious operational and reputational consequences. The absence of required authentication or user interaction lowers the barrier for exploitation, increasing risk. European organizations in sectors with high confidentiality requirements, such as finance, healthcare, and government, are particularly vulnerable to the impacts of such internal network exposure.

European organizations should prioritize upgrading hackmd-mcp installations to version 1.5.0 or later, where the vulnerability is fully addressed by endpoint validation and configurable allowed URLs. If immediate upgrading is not feasible, switching the server to stdio transport mode is a strong mitigation, as it inherently blocks HTTP-based SSRF vectors. Network-level controls should be implemented to restrict outbound traffic from hackmd-mcp servers, limiting connections to only trusted internal and external endpoints. Deploying reverse proxies or web application firewalls (WAFs) to filter and validate the Hackmd-Api-Url HTTP header and any base64-encoded JSON query parameters can prevent malicious redirection attempts. Regularly auditing and monitoring outbound requests from hackmd-mcp servers can help detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review internal network segmentation and access controls to minimize the impact of potential SSRF exploitation. Security teams should also ensure that logging and alerting mechanisms are in place to capture suspicious activity related to hackmd-mcp API calls.