CVE-2026-25539
📋 TL;DR
This vulnerability allows authenticated users of SiYuan personal knowledge management system to write files to arbitrary locations on the filesystem due to improper validation of the dest parameter in the /api/file/copyFile endpoint. This can lead to remote code execution by writing to sensitive system files. All SiYuan installations prior to version 3.5.5 are affected.
💻 Affected Systems
- SiYuan Personal Knowledge Management System
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution, allowing attackers to execute arbitrary commands, install malware, or create persistent backdoors by writing to cron jobs, SSH authorized_keys, or shell configuration files.
Likely Case
Unauthorized file writes leading to data manipulation, privilege escalation, or limited code execution depending on the attacker's authenticated access level and system configuration.
If Mitigated
Limited impact with proper network segmentation, minimal user privileges, and file system permissions that restrict write access to sensitive locations.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained. The path traversal technique is well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.5
Vendor Advisory: https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9
Restart Required: Yes
Instructions:
1. Backup your SiYuan data. 2. Download SiYuan version 3.5.5 or later from the official repository. 3. Stop the SiYuan service. 4. Replace the existing installation with the new version. 5. Restart the SiYuan service. 6. Verify the version is 3.5.5 or higher.
🔧 Temporary Workarounds
Restrict API Access
allBlock or restrict access to the vulnerable /api/file/copyFile endpoint using web application firewall rules or reverse proxy configuration.
# Example nginx location block to deny access
location /api/file/copyFile { deny all; }
File System Permissions Hardening
linuxSet strict file system permissions to prevent SiYuan from writing to sensitive directories outside its intended data directory.
# Example: Restrict SiYuan user to specific directory
chown -R siyuan:siyuan /opt/siyuan/data
chmod 750 /opt/siyuan/data
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SiYuan instances from critical systems.
- Enforce principle of least privilege for SiYuan application and user accounts to limit potential damage.
🔍 How to Verify
Check if Vulnerable:
Check if SiYuan version is below 3.5.5 by examining the version in the web interface or checking the installation directory for version files.Check Version:
Check the 'About' section in SiYuan web interface or examine version.txt in the installation directory.Verify Fix Applied:
Confirm the installed version is 3.5.5 or higher and test that the /api/file/copyFile endpoint properly validates the dest parameter with path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations outside SiYuan data directory
- Multiple failed authentication attempts followed by API calls to /api/file/copyFile
- Path traversal patterns in API request parameters
Network Indicators:
- POST requests to /api/file/copyFile with suspicious dest parameter values containing '../' sequences
- Unusual outbound connections from SiYuan server following API calls
SIEM Query:
source="siyuan.log" AND (uri_path="/api/file/copyFile" AND (param_dest CONTAINS "../" OR param_dest CONTAINS "..\\"))