SiYuan is a personal knowledge management system. Prior to version 3.6.2, the /api/file/readDir interface was used to traverse and retrieve the file names of all documents under a notebook. Version 3.6.2 patches the issue.
The /api/file/readDir API endpoint does not properly validate provided paths, allowing an attacker to construct an HTTP request containing a manipulated path (path traversal). This makes it possible to escape the allowed directory and recursively browse the notebook file structure. The vulnerability is exploited without the need for an account or session — network access to the SiYuan instance is sufficient.
An attacker can gain unauthorized access to the names and structure of all documents stored in notebooks, leading to a breach of user data confidentiality. The exposed file structure may facilitate further targeted attacks on specific documents.
SiYuan should be updated to version 3.6.2, which contains the official patch eliminating this vulnerability. Additionally, it is recommended to restrict network access to the SiYuan instance only to trusted hosts (e.g., via firewall or binding to localhost) if the application does not need to be publicly accessible.
B3Log SiYuan in all versions before 3.6.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HB3log Siyuan
APPB3Log< 3.6.2
Related vulnerabilities
B3Log SiYuan: XSS w diagramach Mermaid eskaluje do RCE w Electron
RCE przez stored XSS w kliencie desktopowym B3Log SiYuan
RCE w SiYuan poprzez nadmiernie permisywną politykę CORS
Stored XSS → RCE w B3Log SiYuan via złośliwy URL w Attribute View
B3Log SiYuan — nieuprawniony odczyt treści dokumentów przez API