SiYuan Remote Code Execution Vulnerability via Cross-Origin Resource Sharing Misconfiguration

A remote code execution vulnerability has been identified in SiYuan, a personal knowledge management system, prior to version 3.6.2. The issue arises from a permissive Cross-Origin Resource Sharing (CORS) policy that allows malicious websites to inject JavaScript snippets through the SiYuan API. Once injected, these snippets execute in the context of Electron's Node.js environment, with full access to the operating system, the next time the user opens the SiYuan interface. Exploitation requires no user interaction beyond visiting the malicious website while SiYuan is active.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's machine, with the injected code running in the context of the SiYuan application. This execution occurs with the user's privileges, potentially leading to unauthorized access or modification of files and data. Additionally, the vulnerability allows for exfiltration of sensitive information such as API tokens and notes through the SiYuan API, before the executed payload is even triggered.

Reproduction

To reproduce this vulnerability, first, ensure that SiYuan desktop is running. Then, log into SiYuan via a web browser to establish a session cookie. After that, navigate to a malicious webpage that exploits the CORS vulnerability by sending a JavaScript snippet injection request to the SiYuan API. The injected snippet will execute the next time the SiYuan UI is opened, demonstrating the remote code execution aspect of the vulnerability.

Remediation

Users can update to SiYuan version 3.6.2, which addresses this vulnerability by improving the application's CORS policy and enhancing overall security.