SiYuan Path Traversal Vulnerability in Export Endpoint Allowing Arbitrary File Read and Secret Leakage

A path traversal vulnerability has been identified in SiYuan versions prior to 3.5.10, specifically within the '/export' endpoint. This vulnerability allows attackers to read arbitrary files from the server's filesystem. By exploiting double-encoded traversal sequences, sensitive files such as 'conf/conf.json' can be accessed. This configuration file contains critical secrets, including the API token, cookie signing key, and workspace access authentication code. Leaking these secrets may grant administrative access to the SiYuan kernel API and, in certain deployment scenarios, could be chained to achieve remote code execution.

Impact

Exploitation of this vulnerability can lead to arbitrary file disclosure, allowing attackers to read any file on the server, including sensitive configuration files that contain API tokens and other critical secrets. Such a breach could enable administrative access to SiYuan's kernel APIs. Additionally, the vulnerability could be exploited to exfiltrate local data from a user's SiYuan instance via cross-origin requests, potentially leading to remote code execution or full system compromise.

Reproduction

To reproduce this vulnerability, send a GET request to the '/export' endpoint with a double-encoded traversal sequence that targets a sensitive file, such as 'conf/conf.json' or '/etc/passwd'. If the request is successful, the response will contain the requested file's contents. Optionally, if the API token is leaked, it can be used to access privileged SiYuan kernel APIs, confirming the exploitation of the vulnerability.

Remediation

Users should update to SiYuan version 3.5.10 or later, where this vulnerability has been fixed.