N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4r66-7rcv-x46x

GHSA-4r66-7rcv-x46x: SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin

Summary

Siyuan is vulnerable to RCE. The issue stems from a "Zip Slip" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.

Steps to reproduce

Authenticate
Create zip slip payload with path traversal entry ../../../../opt/siyuan/startup.sh. startup.sh contains malicious code like:

#!/bin/sh
echo 'you have been pwned' > /siyuan/workspace/data/pwned.txt
echo "pandoc 3.1.0"

Upload zip to workspace via /api/file/putFile
Extract zip via /api/archive/unzip, overwrites the existing executable startup.sh while maintaining the +x permission
Trigger execution by calling /api/setting/setExport with pandocBin=/opt/siyuan/startup.sh. This calls IsValidPandocBin() which executes startup.sh --version that outputs "pandoc 3.1.0" and executes any arbitrary malicious code

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4r66-7rcv-x46x

GHSA-4r66-7rcv-x46x:

N/A

CVSS Score

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/siyuan-note/siyuan/kernel	go	<= 0.0.0-20251202123337-6ef83b42c7ce

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic two-stage RCE. First, an attacker uses a Zip Slip vulnerability in the unzip function to upload a malicious script to a known location on the server. The unzip function fails to sanitize the file paths within the zip archive, allowing the attacker to write outside of the intended destination directory.

Second, the attacker triggers the execution of the uploaded script by exploiting a command injection vulnerability in the IsValidPandocBin function. This function is called by the setExport API endpoint. The IsValidPandocBin function executes the provided binary path with --version to validate it. By setting the pandocBin path to their uploaded script, the attacker can get it to execute.

The combination of these two vulnerabilities allows a remote, authenticated attacker to achieve remote code execution on the SiYuan server.

Vulnerable functions

kernel.unzip

kernel/archive.go

This function is responsible for unzipping archives. It is vulnerable to a Zip Slip attack, which allows an attacker to write files to arbitrary locations on the file system by crafting a zip file with path traversal entries (e.g., `../../../../path/to/file`).

kernel.IsValidPandocBin

kernel/setting.go

This function is intended to validate the pandoc binary path. However, it does so by executing the binary with the `--version` argument. An attacker can abuse this by pointing to a malicious script, which will then be executed by the system. The vulnerability is triggered by the `setExport` function, which calls `IsValidPandocBin`.

kernel.setExport

kernel/setting.go

This function is the API endpoint that allows setting the export configuration, including the `pandocBin` path. It calls the `IsValidPandocBin` function, which contains the command injection vulnerability. An attacker would call this endpoint to trigger the execution of their malicious script.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4r66-7rcv-x46x: SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin

Summary

Steps to reproduce

GHSA-4r66-7rcv-x46x:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

N/A

GHSA-4r66-7rcv-x46x: SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin

Summary

Steps to reproduce

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI