CVE-2024-55658: SiYuan has an arbitrary file read and path traversal via /api/export/exportResources

December 11, 2024 (updated December 12, 2024)

Siyuan’s /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure.

References

github.com/advisories/GHSA-25w9-wqfq-gwqx
github.com/siyuan-note/siyuan
github.com/siyuan-note/siyuan/commit/e70ed57f6e4852e2bd702671aeb8eb3a47a36d71
github.com/siyuan-note/siyuan/security/advisories/GHSA-25w9-wqfq-gwqx
nvd.nist.gov/vuln/detail/CVE-2024-55658

Detect and mitigate CVE-2024-55658 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →