Security fixes land on the latest published @sylphx/pdf-reader-mcp release. We
fix forward — please upgrade to the newest version before reporting.
Please report privately. Do not open a public issue for security defects.
Preferred channel — GitHub private vulnerability reporting (does not depend on email delivery):
- Go to the repository's Security tab.
- Click Report a vulnerability (GitHub private advisory).
- Include the details below.
This routes straight to the maintainers and lets us collaborate on a fix and a coordinated advisory in one place.
Please include:
- affected version(s) and transport (
stdioorhttp); - a clear description and impact;
- minimal steps to reproduce or a proof of concept;
- any suggested remediation.
We aim to acknowledge a report within a few days, agree on severity and a fix window, and publish a GitHub Security Advisory (GHSA, with a CVE where it qualifies) once a fixed version ships. We are glad to credit reporters by their chosen handle.
In scope: defects in this package's own code — authentication/authorization bypass, information disclosure, path traversal, SSRF, and similar. Issues in third-party dependencies should be reported upstream; tell us if this package's configuration meaningfully amplifies them.
The HTTP transport (MCP_TRANSPORT=http) exposes every PDF tool to any client
that can reach the port. It is opt-in; the default transport is stdio.
- Binds to
127.0.0.1(loopback) by default. SetMCP_HTTP_HOSTto a non-loopback host only when you intend remote access. - Set
MCP_API_KEYwhenever the server is reachable from another machine. Every/mcprequest must then present a matchingX-API-Keyheader; unauthenticated requests get401. The server warns at startup if it binds a non-loopback host without a key. - Restrict filesystem reach with
--allow-dir=<path>(repeatable) orMCP_PDF_ALLOWED_DIRS. Without an allowlist the process can read any PDF it has OS permission to open. - URL sources resolving to private/loopback addresses are blocked by default
(SSRF guard); only pass
--allow-private-ipsin a trusted network.