SiYuan WebSocket Server Unauthenticated Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the SiYuan personal knowledge management system, in versions prior to 3.6.2. The issue arises in the SiYuan kernel WebSocket server, which accepts unauthenticated connections when the 'auth keepalive' query parameter is included. Once a connection is established, the server parses incoming messages using unchecked type assertions on attacker-controlled JSON. This flaw allows remote attackers to send malformed messages that trigger a runtime panic, potentially crashing the kernel process and causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to a runtime panic that crashes the kernel process, causing a denial-of-service condition. This impact is particularly severe when the service is exposed beyond localhost, such as in Docker deployments, through reverse proxies, on local area networks, or when publicly hosted.

Reproduction

To reproduce this vulnerability, deploy the SiYuan application in a Docker container with the 'SIYUAN_ACCESS_AUTH_CODE_BYPASS' environment variable set to true. Once the application is running, connect to the WebSocket endpoint '/ws?app=siyuan&id=auth&type=auth' without authentication. After establishing the connection, send a malformed JSON payload, such as an empty object. The server will respond with a runtime panic, which can be observed in the Docker container logs.

Remediation

Users should upgrade to SiYuan version 3.6.2 or later, where this vulnerability has been fixed.