CVE-2025-21609

03.01.2025, 17:15

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

Provider	Type	Base Score	Vector
NIST	NIST	UNKNOWN	---
GitHub_M	CNA	---	---
CISA-ADP	ADP	---	---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Common Weakness Enumeration

CWE-459 - Incomplete Cleanup
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

References

https://github.com/siyuan-note/siyuan/commit/d9887aeec1b27073bec66299a9a4181dc42969f3

https://github.com/siyuan-note/siyuan/security/advisories/GHSA-8fx8-pffw-w498