SiYuan Markdown Rendering Vulnerability Leading to Stored Cross-Site Scripting and Remote Code Execution

A vulnerability in SiYuan versions 3.6.0 and below allows for stored cross-site scripting (XSS) that escalates to remote code execution (RCE). This issue arises because the backend README rendering function does not sanitize raw HTML in Markdown before it is sent to the frontend. As a result, malicious JavaScript can be embedded in a package's README and executed when the package details are viewed. SiYuan's Electron configuration further exacerbates the issue by enabling node integration, allowing the injected JavaScript to execute with full access to the system.

Impact

Exploitation of this vulnerability allows for full remote code execution on the affected user's machine, with the executed code running in the context of the user. The vulnerability is triggered by viewing a package's README in the SiYuan Bazaar, making it a one-click attack. Once exploited, the attacker can execute arbitrary commands, steal sensitive data such as API tokens and configuration files, and install persistent backdoors on the victim's system.

Reproduction

To reproduce this vulnerability, create a GitHub repository with a README containing a malicious payload, such as an image tag with an 'onerror' attribute executing a JavaScript command. Submit the repository as a SiYuan package. When a user views the package details in the SiYuan Bazaar, the payload executes, leveraging SiYuan's Electron settings for remote code execution.

Remediation

Users can update to SiYuan version 3.6.1 or later, where this vulnerability has been patched.