CVE-2025-68948 – This vulnerability allows attackers to decrypt ... (How to Fix)

Q: What is the severity of CVE-2025-68948?

CVE-2025-68948 has a CVSS score of 8.1 (HIGH). This vulnerability allows attackers to decrypt session cookies and steal authentication credentials in SiYuan Note software. Attackers who intercept session cookies can extract the AccessAuthCode and hijack user sessions. All users running SiYuan Note versions 3.5.1 and earlier are affected.

📋 TL;DR

This vulnerability allows attackers to decrypt session cookies and steal authentication credentials in SiYuan Note software. Attackers who intercept session cookies can extract the AccessAuthCode and hijack user sessions. All users running SiYuan Note versions 3.5.1 and earlier are affected.

💻 Affected Systems

Products:

SiYuan Note

Versions: 3.5.1 and prior

Operating Systems: All platforms running SiYuan Note

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using default session management are vulnerable.

📦 What is this software?

Siyuan by B3log

View all CVEs affecting Siyuan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized access to all user knowledge bases, potential data theft or destruction.

🟠

Likely Case

Session hijacking leading to unauthorized access to user's personal knowledge management system and data.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but authentication bypass remains possible.

🌐 Internet-Facing: HIGH - Session cookies can be intercepted over networks, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires obtaining session cookies first, but decryption process is straightforward once cookies are acquired.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.5.2 or later

Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28

Restart Required: Yes

Instructions:

1. Backup your SiYuan data
2. Download SiYuan version 3.5.2 or later from official sources
3. Install the updated version
4. Restart the SiYuan application

🔧 Temporary Workarounds

Network Isolation

all

Restrict access to SiYuan instances to trusted networks only

Session Management

all

Implement additional session validation and monitoring

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach SiYuan instances
Monitor for unusual session activity and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check SiYuan version in application settings or about dialog. If version is 3.5.1 or earlier, you are vulnerable.

Check Version:

Check version in SiYuan application settings or about dialog (no CLI command available)

Verify Fix Applied:

Verify SiYuan version is 3.5.2 or later after update.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful login from different IP
Unusual session creation patterns
Access from unexpected locations

Network Indicators:

Unusual traffic patterns to SiYuan session endpoints
Multiple session cookie requests from same source

SIEM Query:

source="siyuan" AND (event="session_created" OR event="authentication") | stats count by src_ip, user

📊 Metadata

CVE ID: CVE-2025-68948

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

EPSS Score: 0.05% exploit probability (13.9th percentile)

Published: December 27, 2025

Last Updated: January 2, 2026

🔗 References

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28 Exploit,Vendor Advisory
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f7ph-rc3w-qp28 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68948, you might also want to check these: