logo

Database

Server-side request forgery (SSRF) In github.com/siyuan-note/siyuan/kernel

Description

SiYuan has a Full-Read SSRF via /api/network/forwardProxy

Summary

The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user-controlled URL and makes HTTP requests to it, returning the full response body and headers. There is no URL validation to prevent requests to internal networks, localhost, or cloud metadata services.

Affected Code

File: /kernel/api/network.go (Lines 153-317)

func forwardProxy(c *gin.Context) {
    ret := gulu.Ret.NewResult()
    defer c.JSON(http.StatusOK, ret)

    arg, ok := util.JsonArg(c, ret)
    if !ok {
        return
    }...

PoC

    First, authenticate with your access auth code and copy the authenticated cookie.

    Now use the request below for SSRF to Access Cloud Metadata.

POST /api/network/forwardProxy HTTP/1.1
Host: <HOST>
Cookie: siyuan=<COOKIE>
Content-Length: 102

{"url":"http://169.254.169.254/metadata/v1/","method":"GET","headers":[],"payload":"","timeout":7000}'
Screenshot 2026-03-11 at 1 23 36 AM

Impact

    Internal Network Reconnaissance: Attackers can scan internal services

    Cloud Credential Theft: Potential access to cloud metadata and IAM credentials

    Data Exfiltration: Server can be used as a proxy to access internal resources

    Firewall Bypass: Requests originate from trusted internal IP

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-321102. NVD-2026-321103. OSV-2026-321104. GHSA-56cv-c5p2-j2wg5. GCVE-2026-32110

References

1. https://github.com/siyuan-note/siyuan/security/advisories/GHSA-56cv-c5p2-j2wg

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.