CVE-2025-21609
Published: 03 January 2025
Description
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.
Security Summary
SiYuan Note version 3.1.18, a self-hosted open source personal knowledge management software, contains an arbitrary file deletion vulnerability identified as CVE-2025-21609. The issue resides in the POST /api/history/getDocHistoryContent endpoint, where an attacker can craft a malicious payload to delete arbitrary files on the affected server. This flaw is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-459 (Incomplete Cleanup) and CWE-552 (Files or Directories Accessible to External Parties).
The vulnerability enables exploitation by unauthenticated remote attackers over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to delete any file on the server, potentially disrupting service availability and compromising data integrity without affecting confidentiality.
Mitigation is addressed in commit d9887aeec1b27073bec66299a9a4181dc42969f3 from the SiYuan GitHub repository, which resolves the issue and is expected to appear in version 3.1.19. Additional details are available in the GitHub Security Advisory at GHSA-8fx8-pffw-w498. Security practitioners should update to the patched version and review access to the affected endpoint.
Details
- CWE(s)