CVE-2025-58358
BaseFortify
Publication date: 2025-09-04
Last updated on: 2025-09-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zcaceres | mcp-markdownify-server | 0.0.2 |
| zcaceres | mcp-markdownify-server | 0.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in Markdownify versions below 0.0.2. It occurs because the server uses unsanitized user input directly in shell commands via child_process.exec, allowing an attacker to inject arbitrary system commands. This can lead to remote code execution with the privileges of the server process.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to execute arbitrary commands on the server remotely, potentially leading to full compromise of the server, data theft, data loss, or disruption of service depending on the privileges of the server process.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Markdownify to version 0.0.2 or later, as this version contains the fix for the command injection vulnerability caused by unsanitized input parameters.