GHSA-G5CG-6C7V-MMPW

Vulnerability from github – Published: 2025-09-15 20:37 – Updated: 2025-09-15 20:37
VLAI?
Summary
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
Details

Impact

A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters. This allows malicious users to:

  • Redirect API calls to internal network services
  • Potentially access sensitive internal endpoints
  • Perform network reconnaissance through the server
  • Bypass network access controls

The vulnerability affects the HTTP transport mode specifically - stdio mode is not impacted as it only accepts requests from stdio.

Patches

The vulnerability has been patched in version 1.5.0. Users should:

  1. Update to the latest version of the HackMD MCP server
  2. Set the ALLOWED_HACKMD_API_URLS environment variable to restrict allowed HackMD API endpoints
  3. If not set, the server will default to only allowing the official HackMD API URL (https://api.hackmd.io/v1)

Example configuration:

ALLOWED_HACKMD_API_URLS=https://api.hackmd.io/v1,https://your-hackmd-instance.com/api/v1

Workarounds

Users can mitigate this vulnerability without upgrading by:

  1. Use stdio mode instead of HTTP mode: Set TRANSPORT=stdio or remove the TRANSPORT environment variable to disable HTTP mode entirely
  2. Network-level restrictions: Use firewall rules or network policies to restrict outbound connections from the server
  3. Reverse proxy filtering: Place the MCP server behind a reverse proxy that validates and filters both the Hackmd-Api-Url header and the base64-encoded JSON config query parameter to prevent malicious hackmdApiUrl values

References

Severity ?
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "hackmd-mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59155"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-15T20:37:46Z",
    "nvd_published_at": "2025-09-15T17:15:36Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nA Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary `hackmdApiUrl` values through HTTP headers (`Hackmd-Api-Url`) or base64-encoded JSON query parameters. This allows malicious users to:\n\n- Redirect API calls to internal network services\n- Potentially access sensitive internal endpoints\n- Perform network reconnaissance through the server\n- Bypass network access controls\n\nThe vulnerability affects the HTTP transport mode specifically - stdio mode is not impacted as it only accepts requests from stdio.\n\n### Patches\n\nThe vulnerability has been patched in version `1.5.0`. Users should:\n\n1. Update to the latest version of the HackMD MCP server\n2. Set the `ALLOWED_HACKMD_API_URLS` environment variable to restrict allowed HackMD API endpoints\n3. If not set, the server will default to only allowing the official HackMD API URL (`https://api.hackmd.io/v1`)\n\nExample configuration:\n```\nALLOWED_HACKMD_API_URLS=https://api.hackmd.io/v1,https://your-hackmd-instance.com/api/v1\n```\n\n### Workarounds\n\nUsers can mitigate this vulnerability without upgrading by:\n\n1. **Use stdio mode instead of HTTP mode**: Set `TRANSPORT=stdio` or remove the `TRANSPORT` environment variable to disable HTTP mode entirely\n2. **Network-level restrictions**: Use firewall rules or network policies to restrict outbound connections from the server\n3. **Reverse proxy filtering**: Place the MCP server behind a reverse proxy that validates and filters both the `Hackmd-Api-Url` header and the base64-encoded JSON `config` query parameter to prevent malicious `hackmdApiUrl` values\n\n### References\n\n- [OWASP Server-Side Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n- [HackMD MCP Server Documentation](https://github.com/yuna0x0/hackmd-mcp)",
  "id": "GHSA-g5cg-6c7v-mmpw",
  "modified": "2025-09-15T20:37:46Z",
  "published": "2025-09-15T20:37:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yuna0x0/hackmd-mcp/security/advisories/GHSA-g5cg-6c7v-mmpw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59155"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yuna0x0/hackmd-mcp/commit/43936c78a5bb3dedc74e8f080607a1125caa8c13"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yuna0x0/hackmd-mcp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yuna0x0/hackmd-mcp/releases/tag/v1.5.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.