CVE-2025-21609

Jan. 3, 2025, 5:15 p.m.

None
No Score

Description

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

Product(s) Impacted

Product Versions
SiYuan Note
  • 3.1.18

Weaknesses

CWE-459
Incomplete Cleanup
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.

References

https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3
https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498

Tags

security-advisories@github.com
CWE-459
2025-01-03
CVE-2025-21609

Date

  • Published: Jan. 3, 2025, 5:15 p.m.
  • Last Modified: Jan. 3, 2025, 5:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.