何が起きたか
markdownify-mcp のパス許可リスト チェックは検証の前にシンボリックリンクを解決しないため、ローカル攻撃者
なぜ重要か
Local-only attack vector on a niche single-maintainer MCP tool; low blast radius but included for completeness as a precisely catalogued CVE.
攻撃経路
The assertPathAllowed function in src/Markdownify.ts fails to detect symlinks, allowing a local attacker to use symlink following to escape the intended path restriction.
影響を受けるシステム
zcaceres markdownify-mcp, up to version 1.1.0
緩和策
Track the pending pull request to fix this issue in the upstream repository; avoid processing untrusted symlinked paths in the interim.