Platform
go
Component
github.com/siyuan-note/siyuan/kernel
Fixed in
3.1.17
0.0.1
CVE-2024-55659 describes an arbitrary file access vulnerability discovered in SiYuan, a knowledge management tool. This flaw allows an attacker to write arbitrary files to the server through the /api/asset/upload endpoint within the kernel component. The vulnerability affects versions of SiYuan prior to 3.1.16. A fix has been released in version 3.1.16, and users are strongly advised to upgrade.
The arbitrary file write vulnerability in SiYuan poses a significant risk. An attacker could leverage this to upload malicious files, such as web shells, to the server. Successful exploitation could lead to remote code execution (RCE), allowing the attacker to gain complete control over the affected system. The attacker could also overwrite critical configuration files, disrupt service, or exfiltrate sensitive data stored on the server. The impact is amplified if the SiYuan instance is deployed in a production environment or handles sensitive information.
CVE-2024-55659 was publicly disclosed on December 12, 2024. The vulnerability's simplicity and the lack of authentication requirements make it potentially attractive to opportunistic attackers. There are currently no known public exploits or active campaigns targeting this vulnerability, but given its ease of exploitation, it is likely to be targeted in the future. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
The primary mitigation for CVE-2024-55659 is to immediately upgrade SiYuan to version 3.1.16 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the /api/asset/upload endpoint to trusted users and networks. Implement strict file type validation and size limits on uploaded files. Monitor system logs for suspicious file creation or modification activity. Consider using a Web Application Firewall (WAF) to filter out malicious requests targeting the upload endpoint.
Update SiYuan to version 3.1.16 or later. This version contains a fix for the arbitrary file write and stored XSS vulnerability. The update can be performed through the SiYuan administration interface or by downloading the latest version from the official website.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-55659 is a vulnerability in SiYuan allowing attackers to write arbitrary files via the /api/asset/upload endpoint, potentially leading to code execution. It has a CVSS score of 7.5 (HIGH).
You are affected if you are using SiYuan versions prior to 3.1.16. Check your current version and upgrade immediately if necessary.
Upgrade SiYuan to version 3.1.16 or later. As a temporary workaround, restrict access to the /api/asset/upload endpoint and implement strict file validation.
There are currently no known active exploits, but the vulnerability's simplicity suggests it may be targeted in the future.
Refer to the SiYuan project's official release notes and security advisories on their GitHub repository: https://github.com/siyuan-note/siyuan/releases
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.