Headline
GHSA-g5cg-6c7v-mmpw: HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
Impact
A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters. This allows malicious users to:
- Redirect API calls to internal network services
- Potentially access sensitive internal endpoints
- Perform network reconnaissance through the server
- Bypass network access controls
The vulnerability affects the HTTP transport mode specifically - stdio mode is not impacted as it only accepts requests from stdio.
Patches
The vulnerability has been patched in version 1.5.0. Users should:
- Update to the latest version of the HackMD MCP server
- Set the
ALLOWED_HACKMD_API_URLSenvironment variable to restrict allowed HackMD API endpoints - If not set, the server will default to only allowing the official HackMD API URL (
https://api.hackmd.io/v1)
Example configuration:
ALLOWED_HACKMD_API_URLS=https://api.hackmd.io/v1,https://your-hackmd-instance.com/api/v1
Workarounds
Users can mitigate this vulnerability without upgrading by:
- Use stdio mode instead of HTTP mode: Set
TRANSPORT=stdioor remove theTRANSPORTenvironment variable to disable HTTP mode entirely - Network-level restrictions: Use firewall rules or network policies to restrict outbound connections from the server
- Reverse proxy filtering: Place the MCP server behind a reverse proxy that validates and filters both the
Hackmd-Api-Urlheader and the base64-encoded JSONconfigquery parameter to prevent malicioushackmdApiUrlvalues
References
Impact
A Server-Side Request Forgery (SSRF) vulnerability that affects all users running the HackMD MCP server in HTTP mode. Attackers could exploit this vulnerability by passing arbitrary hackmdApiUrl values through HTTP headers (Hackmd-Api-Url) or base64-encoded JSON query parameters. This allows malicious users to:
- Redirect API calls to internal network services
- Potentially access sensitive internal endpoints
- Perform network reconnaissance through the server
- Bypass network access controls
The vulnerability affects the HTTP transport mode specifically - stdio mode is not impacted as it only accepts requests from stdio.
Patches
The vulnerability has been patched in version 1.5.0. Users should:
- Update to the latest version of the HackMD MCP server
- Set the ALLOWED_HACKMD_API_URLS environment variable to restrict allowed HackMD API endpoints
- If not set, the server will default to only allowing the official HackMD API URL (https://api.hackmd.io/v1)
Example configuration:
ALLOWED_HACKMD_API_URLS=https://api.hackmd.io/v1,https://your-hackmd-instance.com/api/v1
Workarounds
Users can mitigate this vulnerability without upgrading by:
- Use stdio mode instead of HTTP mode: Set TRANSPORT=stdio or remove the TRANSPORT environment variable to disable HTTP mode entirely
- Network-level restrictions: Use firewall rules or network policies to restrict outbound connections from the server
- Reverse proxy filtering: Place the MCP server behind a reverse proxy that validates and filters both the Hackmd-Api-Url header and the base64-encoded JSON config query parameter to prevent malicious hackmdApiUrl values
References
- OWASP Server-Side Request Forgery Prevention Cheat Sheet
- HackMD MCP Server Documentation
References
- GHSA-g5cg-6c7v-mmpw
- https://nvd.nist.gov/vuln/detail/CVE-2025-59155
- yuna0x0/hackmd-mcp@43936c7
- https://github.com/yuna0x0/hackmd-mcp/releases/tag/v1.5.0