SiYuan Mermaid Diagram JavaScript Link Injection Vulnerability Leading to Stored XSS and Remote Code Execution

A vulnerability in SiYuan versions through 3.6.3 allows for the injection of attacker-controlled JavaScript URLs into the DOM via Mermaid diagrams. This occurs because Mermaid renders diagrams with a 'loose' security level, preserving harmful 'javascript:' links in the output SVG. In desktop versions using Electron, this stored cross-site scripting (XSS) can be escalated to arbitrary code execution. When a user clicks on the maliciously crafted Mermaid node, the injected JavaScript executes with the same privileges as the desktop user, potentially leading to the execution of arbitrary operating system commands.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting that can be converted into remote code execution on Electron-based desktop applications. This occurs when a victim opens a note containing a malicious Mermaid block and interacts with the rendered diagram, executing arbitrary commands on the operating system as the current user.

Reproduction

To reproduce this vulnerability, create a Mermaid code block in SiYuan version 3.6.3 or below. Include a 'javascript:' URL in the block. Once the note is saved, the URL will be preserved in the SVG output when rendered. In an Electron desktop build, click on the rendered diagram node, which will trigger the execution of the JavaScript URL. This can be verified by executing a command that, for example, opens a calculator application.

Remediation

Users can update to SiYuan version 3.6.4, where this vulnerability has been fixed.