SiYuan Remote Code Execution Vulnerability via Unescaped Bazaar Package Metadata

A critical remote code execution vulnerability has been identified in SiYuan versions 3.6.0 and below. The issue arises from the Bazaar marketplace rendering package metadata fields, such as displayName and description, using template literals without proper HTML escaping. This flaw allows malicious package authors to inject arbitrary HTML or JavaScript, which executes automatically when users visit the Bazaar page. SiYuan's Electron configuration, which enables nodeIntegration with contextIsolation set to false, allows this cross-site scripting vulnerability to escalate to full remote code execution on the user's operating system, requiring no interaction beyond opening the marketplace tab.

Impact

Exploitation of this vulnerability leads to full remote code execution on the victim's operating system, with no user interaction required beyond opening the Bazaar marketplace tab. The vulnerability allows for a supply-chain attack, as it targets all SiYuan desktop users through the official marketplace. The injected payload executes automatically when the Bazaar page is loaded, taking advantage of the Electron application's configuration that permits direct access to Node.js APIs. This exploitation could be used to steal sensitive information such as API tokens and session cookies, execute arbitrary commands, or install persistent backdoors or ransomware.

Reproduction

To reproduce this vulnerability, create a malicious SiYuan plugin by injecting an XSS payload into the 'displayName' or 'description' fields of the 'plugin.json' manifest. Submit the plugin to the SiYuan Bazaar community marketplace. Once the plugin is published, any user who opens the Bazaar tab in SiYuan will trigger the XSS payload, executing the injected JavaScript with full access to the operating system via Node.js.

Remediation

Users can update to SiYuan version 3.6.1, where this vulnerability has been fixed.