DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2H2P-MVFX-868W: GHSA-2H2P-MVFX-868W: Critical Path Traversal and Authentication Bypass in SiYuan

#security #cve #cybersecurity #ghsa

GHSA-2H2P-MVFX-868W: Critical Path Traversal and Authentication Bypass in SiYuan

Vulnerability ID: GHSA-2H2P-MVFX-868W
CVSS Score: 9.3
Published: 2026-03-07

A critical path traversal vulnerability exists in the /export endpoint of the SiYuan kernel (versions prior to 3.5.10). By utilizing double URL-encoded traversal sequences, unauthenticated attackers can bypass path sanitization mechanisms to read arbitrary files from the host filesystem. This flaw is compounded by a permissive Cross-Origin Resource Sharing (CORS) policy and an insecure localhost privilege escalation mechanism, allowing malicious websites to exfiltrate sensitive configuration data—such as API tokens and authentication codes—from a victim's local instance via drive-by attacks.

TL;DR

Unauthenticated arbitrary file read in SiYuan via the /export endpoint using double-encoded traversal sequences (%252e%252e). This chains with CORS misconfigurations to allow remote attackers to steal credentials from local instances. Fixed in version 3.5.10.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Vulnerability Type: Path Traversal
  • CVSS Score: 9.3 (Critical)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None

Affected Systems

  • SiYuan Kernel < 3.5.10
  • SiYuan Kernel: < 3.5.10 (Fixed in: 3.5.10)

Exploit Details

  • GitHub Advisory: Advisory containing reproduction steps and payload examples.

Mitigation Strategies

  • Upgrade SiYuan to version 3.5.10 immediately.
  • Implement strict network segmentation to prevent external access to the SiYuan interface if patching is delayed.
  • Use a reverse proxy (e.g., Nginx) to block requests containing '%25' or traversal sequences.

Remediation Steps:

  1. Stop the running SiYuan instance.
  2. Download the latest release (>= 3.5.10) from the official repository.
  3. Replace the kernel binary with the updated version.
  4. Restart the service and verify that requests to /export/%252e%252e return a 403 Forbidden or 404 Not Found.

References

Read the full report for GHSA-2H2P-MVFX-868W on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)