SiYuan Knowledge Management Software Zip Slip Vulnerability Leading to Arbitrary File Overwrite and Potential Remote Code Execution

A Zip Slip vulnerability has been identified in SiYuan personal knowledge management software, specifically in versions through 0.0.0-20251202123337-6ef83b42c7ce. The issue resides in the 'importZipMd' function, where an authenticated user can overwrite files on the system. This vulnerability can escalate to full code execution under certain conditions, such as when the 'entrypoint.sh' file is overwritten in the official Docker image, allowing the executed code to be executed remotely.

Impact

Exploitation of this vulnerability allows for arbitrary file overwriting, with the potential for remote code execution in specific scenarios, such as when overwriting the 'entrypoint.sh' file in the official Docker image.

Reproduction

To reproduce this vulnerability, an authenticated user must access the import functionality within notes. The user can upload a crafted ZIP file that exploits the Zip Slip vulnerability by overwriting arbitrary files on the system. If the 'entrypoint.sh' file is targeted, the overwritten code will be executed after a container restart, leading to remote code execution.

Remediation

Users are advised to update to SiYuan version 3.5.0, where this vulnerability has been patched.