Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-55658

CVE-2024-55658: B3log Siyuan Path Traversal Vulnerability

CVE-2024-55658 is a path traversal vulnerability in B3log Siyuan that allows attackers to read arbitrary files via the /api/export/exportResources endpoint. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-55658 Overview

CVE-2024-55658 is a path traversal vulnerability in SiYuan, an open-source personal knowledge management system developed by B3log. The flaw resides in the /api/export/exportResources endpoint, where the paths parameter is not properly validated. Unauthenticated attackers can manipulate this parameter to traverse the workspace directory structure and download arbitrary files from the host system. The issue affects all versions of SiYuan prior to 3.1.16, which contains the official patch. The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.

Critical Impact

Remote, unauthenticated attackers can read arbitrary files from systems running SiYuan versions prior to 3.1.16, exposing credentials, configuration files, and sensitive workspace data.

Affected Products

  • B3log SiYuan versions prior to 3.1.16
  • B3log SiYuan 3.1.15 (confirmed vulnerable per CPE data)
  • All SiYuan deployments exposing the /api/export/exportResources endpoint

Discovery Timeline

  • 2024-12-12 - CVE-2024-55658 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-55658

Vulnerability Analysis

The vulnerability exists in the resource export functionality exposed through the SiYuan HTTP API. The /api/export/exportResources endpoint accepts a paths parameter that specifies which workspace resources should be packaged for export. The application fails to canonicalize and validate these paths against the workspace root before reading files from disk.

Because the input is treated as a relative path joined to the workspace directory, supplying traversal sequences such as ../ allows the request to escape the intended directory boundary. The server then reads and returns the targeted file as part of the export response. SiYuan typically runs as a desktop or self-hosted service with the privileges of the local user, meaning the attacker inherits read access to any file the SiYuan process can open.

Root Cause

The root cause is missing path normalization and sandbox enforcement on user-supplied file paths. The handler concatenates the attacker-controlled paths value with the workspace base directory without verifying that the resolved absolute path remains within the workspace. Refer to the GitHub Security Advisory GHSA-25w9-wqfq-gwqx and the upstream patch commit for the exact code paths and remediation logic.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker who can reach the SiYuan HTTP listener sends a crafted POST request to /api/export/exportResources containing relative traversal sequences in the paths JSON field. The server responds with the contents of the targeted file, enabling exfiltration of operating system files, application secrets, SSH keys, browser data, or other notes stored outside the workspace.

No verified public exploitation code is available for this issue. The vulnerability mechanism is described in the vendor advisory linked above.

Detection Methods for CVE-2024-55658

Indicators of Compromise

  • HTTP requests to /api/export/exportResources containing ../, ..\, URL-encoded %2e%2e%2f, or absolute path prefixes in the paths parameter.
  • Outbound export responses returning files with names or sizes inconsistent with normal SiYuan resource bundles.
  • Access log entries showing unauthenticated POST requests to the export API from external or unexpected source IPs.

Detection Strategies

  • Inspect SiYuan HTTP access logs for traversal patterns in JSON request bodies sent to /api/export/* endpoints.
  • Deploy a web application firewall rule that blocks .. sequences and absolute paths in requests targeting SiYuan API routes.
  • Hunt for SiYuan processes opening files outside the configured workspace directory using endpoint telemetry and file access auditing.

Monitoring Recommendations

  • Alert on any SiYuan instance exposed to untrusted networks, particularly listeners bound to 0.0.0.0 on port 6806.
  • Monitor for spikes in response size from the export API, which may indicate large file exfiltration.
  • Correlate read access to sensitive files such as /etc/passwd, id_rsa, or .env with the parent process being the SiYuan binary.

How to Mitigate CVE-2024-55658

Immediate Actions Required

  • Upgrade SiYuan to version 3.1.16 or later on every host where it is installed.
  • Restrict network exposure of SiYuan by binding the service to 127.0.0.1 or placing it behind authenticated reverse proxy access.
  • Audit the workspace host for evidence of prior unauthorized access to files outside the SiYuan workspace.

Patch Information

The issue is fixed in SiYuan 3.1.16. The corrective change is implemented in commit e70ed57f6e4852e2bd702671aeb8eb3a47a36d71, which enforces validation of the paths parameter against the workspace root. Administrators should review the GHSA-25w9-wqfq-gwqx advisory for full upgrade guidance.

Workarounds

  • Block external access to the SiYuan API port (6806 by default) at the host firewall until the patch is deployed.
  • Run SiYuan under a dedicated low-privilege user account so that arbitrary file reads are constrained by filesystem permissions.
  • Deploy a reverse proxy in front of SiYuan that filters requests containing .., encoded traversal sequences, or absolute paths in JSON bodies.
bash
# Example: restrict SiYuan to loopback and verify the installed version
sudo ss -ltnp | grep 6806
siyuan --version   # ensure output reports 3.1.16 or higher
# Example nginx rule to drop traversal attempts to the export API
# location /api/export/ {
#     if ($request_body ~* "\.\./|%2e%2e%2f") { return 403; }
#     proxy_pass http://127.0.0.1:6806;
# }

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.