SiYuan Path Traversal Vulnerability in removeUnusedAttributeView Endpoint Allowing Arbitrary File Deletion

A path traversal vulnerability has been identified in SiYuan versions through 3.6.3. The issue arises in the /api/av/removeUnusedAttributeView endpoint, where the user-controlled id parameter is used to construct filesystem paths without proper validation or path boundary enforcement. This vulnerability allows an attacker to inject path traversal sequences to escape the intended directory and delete arbitrary .json files on the server, including critical global configuration files and workspace metadata. The vulnerability has been patched in version 3.6.4.

Impact

Exploitation of this vulnerability allows for the deletion of arbitrary .json files within the application's workspace directory. This could result in the loss of user data, corruption of workspace metadata, and persistent application instability. Deleting global configuration files could also lead to broader application issues.

Reproduction

To reproduce this vulnerability, ensure that the target SiYuan instance has the publish service enabled or that there is valid access to the /api/av/removeUnusedAttributeView endpoint. Then, send a POST request to the endpoint with a payload that includes a path traversal sequence in the id parameter, such as '../../../conf/conf'. The server will accept the request, resolve the path outside the intended directory, and delete the specified file.

Remediation

Users are advised to update to SiYuan version 3.6.4 or later, where this vulnerability has been fixed.