The convert_to_markdown tool appears to process file:// URIs without sufficient access control. When given the input file:///etc/passwd, the service returned content consistent with the deployment server's local /etc/passwd file.
This behavior suggests that the tool may resolve user-supplied file URIs and expose server-side local file-system content during document conversion. The issue was observed over stdio transport and may indicate insufficient validation of URI schemes, file paths, or accessible conversion sources.
We recommend restricting the input sources that the tool can convert. The tool should reject untrusted local file:// URIs, unless local file conversion is an intended feature and access is limited to a safe, allowlisted directory. If local file conversion is required, access should be limited to a dedicated allowlisted working directory, with path canonicalization and boundary checks applied before opening any file.
The
convert_to_markdowntool appears to processfile://URIs without sufficient access control. When given the inputfile:///etc/passwd, the service returned content consistent with the deployment server's local/etc/passwdfile.This behavior suggests that the tool may resolve user-supplied file URIs and expose server-side local file-system content during document conversion. The issue was observed over stdio transport and may indicate insufficient validation of URI schemes, file paths, or accessible conversion sources.
We recommend restricting the input sources that the tool can convert. The tool should reject untrusted local file:// URIs, unless local file conversion is an intended feature and access is limited to a safe, allowlisted directory. If local file conversion is required, access should be limited to a dedicated allowlisted working directory, with path canonicalization and boundary checks applied before opening any file.