MD-TO-TEXT/md_to_text

// Network-exposed MCP; exploitable by any client sending a malicious URL.

The fetch_and_convert tool accepts arbitrary URLs from user input without validation, allowing an attacker to make the server request internal or external resources (SSRF). The environment variable URL_TIMEOUT suggests URL fetching is implemented, but no URL validation (e.g., blocklist, allowlist) is visible.

ImpactAn attacker could use the MCP server to scan internal networks, access cloud metadata endpoints (e.g., 169.254.169.254), or perform denial-of-service by pointing to large files.

FixImplement URL validation: restrict to allowed domains, block private IP ranges, and validate URL scheme (only https).

// Network-exposed MCP; exploitable by any client sending a malicious path.

The batch_convert tool accepts a directory path from user input. Without validation, an attacker could use path traversal (e.g., '../../etc') to read arbitrary files outside the intended directory. The ALLOWED_EXTENSIONS env var suggests extension filtering, but no path sanitization is evident.

ImpactAn attacker could read sensitive files (e.g., /etc/passwd, SSH keys) by traversing directories.

FixSanitize and resolve the directory path to ensure it stays within an allowed base directory. Reject paths containing '..' or symbolic links.

// Network-exposed MCP; exploitable by any client.

The convert_markdown_to_text tool accepts Markdown content as a string. While MAX_FILE_SIZE limits file size, there is no validation on the content itself, which could lead to denial-of-service via extremely large or malformed input.

ImpactAn attacker could cause resource exhaustion by sending a very large or deeply nested Markdown document.

FixImplement content size limits and parsing timeouts. Validate input structure before processing.