Описание
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
Impact
A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters. This allows malicious users to:
- Redirect API calls to internal network services
- Potentially access sensitive internal endpoints
- Perform network reconnaissance through the server
- Bypass network access controls
The vulnerability affects the HTTP transport mode specifically - stdio mode is not impacted as it only accepts requests from stdio.
Patches
The vulnerability has been patched in version 1.5.0. Users should:
- Update to the latest version of the HackMD MCP server
- Set the
ALLOWED_HACKMD_API_URLSenvironment variable to restrict allowed HackMD API endpoints - If not set, the server will default to only allowing the official HackMD API URL (
https://api.hackmd.io/v1)
Example configuration:
Workarounds
Users can mitigate this vulnerability without upgrading by:
- Use stdio mode instead of HTTP mode: Set
TRANSPORT=stdioor remove theTRANSPORTenvironment variable to disable HTTP mode entirely - Network-level restrictions: Use firewall rules or network policies to restrict outbound connections from the server
- Reverse proxy filtering: Place the MCP server behind a reverse proxy that validates and filters both the
Hackmd-Api-Urlheader and the base64-encoded JSONconfigquery parameter to prevent malicioushackmdApiUrlvalues
References
Пакеты
hackmd-mcp
>= 1.4.0, < 1.5.0
1.5.0
Связанные уязвимости
hackmd-mcp is a Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. From 1.4.0 to before 1.5.0, hackmd-mcp contains a server-side request forgery (SSRF) vulnerability when the server is run in HTTP transport mode. Arbitrary hackmdApiUrl values supplied via the Hackmd-Api-Url HTTP header or a base64-encoded JSON query parameter are accepted without validation, allowing attackers to redirect outbound API requests to internal network services, access internal endpoints, perform network reconnaissance, and bypass network access controls. The stdio transport mode is not affected because it only accepts stdio requests. The issue is fixed in version 1.5.0, which enforces allowed endpoints and supports the ALLOWED_HACKMD_API_URLS environment variable. Users should update to 1.5.0 or later or apply documented mitigations such as switching to stdio mode, restricting outbound network access, or filtering the Hackmd-Api-Url header and related query param