What happened
markdownify-mcp's path-allowlist check does not resolve symlinks before validation, letting a local attacker construct a symlink that bypasses the intended directory confinement.
Why it matters
Local-only attack vector on a niche single-maintainer MCP tool; low blast radius but included for completeness as a precisely catalogued CVE.
Attack vector
The assertPathAllowed function in src/Markdownify.ts fails to detect symlinks, allowing a local attacker to use symlink following to escape the intended path restriction.
Affected systems
zcaceres markdownify-mcp, up to version 1.1.0
Mitigation
Track the pending pull request to fix this issue in the upstream repository; avoid processing untrusted symlinked paths in the interim.