GHSA-4R66-7RCV-X46X
Vulnerability from github – Published: 2025-12-09 17:18 – Updated: 2025-12-09 17:18
VLAI?
Summary
SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin
Details
Summary
Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.
Steps to reproduce
- Authenticate
- Create zip slip payload with path traversal entry
../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:
#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"
- Upload zip to workspace via
/api/file/putFile - Extract zip via
/api/archive/unzip, overwrites the existing executablestartup.shwhile maintaining the +x permission - Trigger execution by calling
/api/setting/setExportwithpandocBin=/opt/siyuan/startup.sh. This callsIsValidPandocBin()which executesstartup.sh --versionthat outputs "pandoc 3.1.0" and executes any arbitrary malicious code
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/siyuan-note/siyuan/kernel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "0.0.0-20251202123337-6ef83b42c7ce"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-09T17:18:16Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nSiyuan is vulnerable to RCE. The issue stems from a \"Zip Slip\" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.\n\n### Steps to reproduce\n1. Authenticate\n2. Create zip slip payload with path traversal entry `../../../../opt/siyuan/startup.sh`. startup.sh contains malicious code like:\n```bash\n#!/bin/sh\necho \u0027you have been pwned\u0027 \u003e /siyuan/workspace/data/pwned.txt\necho \"pandoc 3.1.0\"\n```\n3. Upload zip to workspace via `/api/file/putFile`\n4. Extract zip via `/api/archive/unzip`, overwrites the existing executable `startup.sh` while maintaining the +x permission\n5. Trigger execution by calling `/api/setting/setExport` with `pandocBin=/opt/siyuan/startup.sh`. This calls `IsValidPandocBin()` which executes `startup.sh --version` that outputs \"pandoc 3.1.0\" and executes any arbitrary malicious code",
"id": "GHSA-4r66-7rcv-x46x",
"modified": "2025-12-09T17:18:16Z",
"published": "2025-12-09T17:18:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4r66-7rcv-x46x"
},
{
"type": "PACKAGE",
"url": "https://github.com/siyuan-note/siyuan"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…