Overview
Unpatched SSRF vulnerability in the Microsoft MarkItDown MCP server can compromise AWS EC2 instances via metadata service exploitation. The server fetches arbitrary URLs without validation, enabling access to cloud infrastructure credentials. Microsoft classified this as low-risk despite demonstrated EC2 metadata access.
Who Is Affected
Reported by ctrlaltnod.com. Affects users of the Microsoft MarkItDown MCP server deployed on cloud infrastructure, particularly AWS EC2 instances.
Where It Exists
The vulnerability is in the MarkItDown MCP server's document conversion functionality. It accepts URLs for remote document fetching without restricting the URL target, enabling SSRF.
When It Was Found
Reported January 2026. Microsoft classified the vulnerability as low-risk. As of disclosure, no patch has been provided.
How It Works
An attacker provides a URL pointing to AWS EC2 instance metadata (http://169.254.169.254/latest/meta-data/) or other cloud provider metadata endpoints through the document conversion tool. The MCP server fetches the URL from its server-side network context, which has access to cloud metadata. The response containing IAM credentials, instance identity, and configuration is returned to the attacker.
Impact
Compromise of cloud infrastructure credentials via SSRF to metadata services. On AWS, this yields IAM role credentials that can access S3, DynamoDB, and other services. The impact extends beyond the MCP server to the entire cloud account depending on the IAM role's permissions.
Mitigation
Block requests to cloud metadata IP ranges (169.254.169.254, fd00:ec2::254) at the application and network level. Implement URL allowlisting for document sources. Use IMDSv2 (token-required) on EC2 instances to mitigate SSRF-based credential theft. Deploy the MCP server with minimal IAM permissions.