Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-55657

CVE-2024-55657: B3log Siyuan Path Traversal Vulnerability

CVE-2024-55657 is a path traversal flaw in B3log Siyuan that enables arbitrary file read through the /api/template/render endpoint. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2024-55657 Overview

CVE-2024-55657 is a path traversal vulnerability in SiYuan, an open-source personal knowledge management system developed by B3log. The flaw resides in the /api/template/render endpoint, which fails to validate the path parameter supplied by clients. An unauthenticated remote attacker can supply crafted path values to read arbitrary files on the host running SiYuan. The vulnerability affects all versions prior to 3.1.16 and is classified under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory). The maintainers shipped a fix in version 3.1.16 that enforces workspace path boundaries.

Critical Impact

Unauthenticated attackers can read arbitrary files outside the SiYuan workspace, exposing configuration, credentials, and sensitive notes stored on the host filesystem.

Affected Products

  • B3log SiYuan versions prior to 3.1.16
  • B3log SiYuan 3.1.15 (confirmed vulnerable per CPE data)
  • Self-hosted and Docker deployments exposing the SiYuan kernel API

Discovery Timeline

  • 2024-12-12 - CVE-2024-55657 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-55657

Vulnerability Analysis

The vulnerability exists in the template rendering handler within kernel/api/template.go. The endpoint accepts a path argument from the JSON request body and passes it directly to the template loader without verifying whether the resolved path stays inside the SiYuan workspace directory. An attacker can submit relative traversal sequences such as ../../../../etc/passwd or absolute paths to make the server read and return arbitrary files.

A secondary instance of the same root cause exists in kernel/model/export.go, where resource paths supplied for export operations were joined to the workspace directory without verifying containment. Both code paths were corrected in the same commit by introducing a workspace boundary check.

Root Cause

The handler relied on filepath.Join(util.WorkspaceDir, resourcePath) to construct file paths but did not call any canonicalization or containment check. Because filepath.Join does not strip traversal components when the input is absolute or contains .. segments resolved outside the workspace, the resulting path could point anywhere on the filesystem the SiYuan process could read.

Attack Vector

An unauthenticated remote attacker sends an HTTP POST request to /api/template/render with a path field containing a traversal payload or absolute path. The kernel reads the targeted file and returns its contents in the response. Network reachability to the SiYuan kernel port is the only prerequisite. The EPSS score is 0.717% (49th percentile) as of 2026-06-29.

go
// Patch in kernel/api/template.go
		return
	}

+	if !util.IsAbsPathInWorkspace(p) {
+		ret.Code = -1
+		ret.Msg = "Path [" + p + "] is not in workspace"
+		return
+	}
+
	preview := false
	if previewArg := arg["preview"]; nil != previewArg {
		preview = previewArg.(bool)

Source: GitHub commit e70ed57

The patch invokes util.IsAbsPathInWorkspace(p) and rejects any path that resolves outside the workspace. The same guard was added to the export resource loop:

go
// Patch in kernel/model/export.go
	for _, resourcePath := range resourcePaths {
-		resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath)    // 资源完整路径
+		resourceFullPath := filepath.Join(util.WorkspaceDir, resourcePath) // 资源完整路径
+		if !util.IsAbsPathInWorkspace(resourceFullPath) {
+			logging.LogErrorf("resource path [%s] is not in workspace", resourceFullPath)
+			err = errors.New("resource path [" + resourcePath + "] is not in workspace")
+			return
+		}

Source: GitHub commit e70ed57

Detection Methods for CVE-2024-55657

Indicators of Compromise

  • HTTP POST requests to /api/template/render containing .. sequences or absolute filesystem paths in the path parameter
  • Access log entries showing the SiYuan kernel returning sensitive file contents such as /etc/passwd, .env files, or SSH keys
  • Unexpected outbound connections from hosts running SiYuan following template render requests
  • SiYuan kernel error messages referencing files outside the configured workspace directory

Detection Strategies

  • Inspect reverse proxy and web server logs for requests to /api/template/render where the request body contains path traversal patterns like ../, ..\\, or absolute prefixes such as /etc/, /root/, or C:\\Windows\\.
  • Deploy a web application firewall rule that blocks path traversal patterns submitted to SiYuan API endpoints.
  • Audit installed SiYuan instances to confirm whether the running version is at or above 3.1.16.

Monitoring Recommendations

  • Forward SiYuan kernel logs to a centralized logging platform and alert on repeated 200 responses to /api/template/render from unauthenticated sources.
  • Monitor file access on the SiYuan host for reads of sensitive paths by the SiYuan process user.
  • Track network exposure of SiYuan instances and alert when the kernel port becomes reachable from untrusted networks.

How to Mitigate CVE-2024-55657

Immediate Actions Required

  • Upgrade SiYuan to version 3.1.16 or later, which contains the IsAbsPathInWorkspace validation.
  • Restrict network access to the SiYuan kernel API so it is only reachable from trusted clients or over an authenticated reverse proxy.
  • Review filesystem permissions for the account running SiYuan to limit exposure if the endpoint is reached.
  • Audit logs for prior exploitation attempts against /api/template/render.

Patch Information

The fix is delivered in SiYuan 3.1.16 via commit e70ed57f6e4852e2bd702671aeb8eb3a47a36d71. The maintainers documented the issue in GitHub Security Advisory GHSA-xx68-37v4-4596. Users should upgrade rather than apply manual patches because the same validation is reused across multiple API handlers.

Workarounds

  • Block external access to the /api/template/render endpoint at the reverse proxy until the upgrade is applied.
  • Run SiYuan under a dedicated low-privilege user account with read access only to the workspace directory.
  • Place SiYuan behind an authenticating proxy that enforces token validation before requests reach the kernel API.
bash
# Example nginx rule blocking traversal payloads to SiYuan template render
location /api/template/render {
    if ($request_body ~* "(\.\./|\.\.\\|/etc/|/root/)") {
        return 403;
    }
    proxy_pass http://127.0.0.1:6806;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.