CVE-2025-21609
📋 TL;DR
SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability in the POST /api/history/getDocHistoryContent endpoint. Attackers can craft payloads to delete arbitrary files on the server, potentially causing data loss or service disruption. All users running SiYuan Note 3.1.18 are affected.
💻 Affected Systems
- SiYuan Note
📦 What is this software?
Siyuan by B3log
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to OS corruption, data loss, and permanent service unavailability.
Likely Case
Deletion of application files, user data, or configuration files causing service disruption and data loss.
If Mitigated
Limited impact if proper file permissions and access controls restrict deletion to non-critical files.
🎯 Exploit Status
Vulnerability is in a public API endpoint; exploitation requires crafting specific HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.19
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498
Restart Required: Yes
Instructions:
1. Backup your SiYuan data. 2. Update to version 3.1.19 via package manager or download from official repository. 3. Restart the SiYuan service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Block vulnerable endpoint
allUse web server or firewall rules to block access to /api/history/getDocHistoryContent endpoint
# For nginx: location ~ ^/api/history/getDocHistoryContent { deny all; }
# For Apache: <Location "/api/history/getDocHistoryContent"> Require all denied </Location>
Restrict file permissions
linuxSet strict file permissions to limit what files the SiYuan process can delete
chmod 644 /path/to/siyuan/data/*
chown root:root /etc/passwd /etc/shadow /etc/hosts
🧯 If You Can't Patch
- Isolate SiYuan instance from internet and restrict to trusted network access only
- Implement strict file system permissions and run SiYuan with minimal privileges
🔍 How to Verify
Check if Vulnerable:
Check if running SiYuan version 3.1.18 via web interface or configuration filesCheck Version:
Check SiYuan web interface settings or examine package version: dpkg -l siyuan-note or rpm -q siyuan-noteVerify Fix Applied:
Verify version is 3.1.19 or later and check that commit d9887aeec1b27073bec66299a9a4181dc42969f3 is present📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /api/history/getDocHistoryContent
- File deletion events in system logs from SiYuan process
- Error logs showing file access failures
Network Indicators:
- HTTP POST requests to /api/history/getDocHistoryContent with unusual parameters
- Traffic patterns showing file system manipulation
SIEM Query:
source="siyuan.log" AND (uri_path="/api/history/getDocHistoryContent" OR message="file deletion")