Microsoft's Markitdown MCP Server Vulnerable to SSRF Exploit, Exposing AWS Credentials

The MCP (Model Context Protocol) protocol is used by AI agents to connect to tools. Microsoft's MCP server for its Markitdown file converter executes any provided URI without validation. By targeting the AWS metadata endpoint (169.254.169.254), researchers retrieved AWS credentials (access key, secret key, session token) in just two requests. An analysis of over 7,000 MCP servers revealed that 36.7% exhibited the same SSRF (Server-Side Request Forgery) vulnerability pattern.