CVE-2025-68948: B3log Siyuan Auth Bypass Vulnerability

CVE-2025-68948 Overview

CVE-2025-68948 affects SiYuan, a self-hosted open source personal knowledge management application. Versions 3.5.1 and prior use a hardcoded cryptographic secret to sign and encrypt session cookies. The hardcoded key renders session encryption ineffective because anyone with access to the public source can derive it. SiYuan stores the sensitive AccessAuthCode inside the session cookie, so an attacker who captures an encrypted cookie can decrypt it locally and recover the authentication token in plaintext. The flaw maps to CWE-321 Use of Hard-coded Cryptographic Key and CWE-798 Use of Hard-coded Credentials.

Critical Impact

An attacker who intercepts a SiYuan session cookie can decrypt it offline, extract the AccessAuthCode, and fully take over the victim's authenticated session.

Affected Products

• B3log SiYuan versions 3.5.1 and prior
• Self-hosted SiYuan Note deployments exposing the web interface
• Any SiYuan instance reachable over a network where session cookies can be intercepted

Discovery Timeline

• 2025-12-27 - CVE-2025-68948 published to NVD
• 2026-01-02 - Last updated in NVD database

Technical Details for CVE-2025-68948

Vulnerability Analysis

SiYuan uses a session store that encrypts cookies with a cryptographic secret embedded directly in the application source. Because the secret is shipped with every installation, every deployment of SiYuan signs and encrypts session data with the same key. The session payload contains the AccessAuthCode, which is the value SiYuan uses to authenticate users to the web interface. The encryption layer therefore provides no confidentiality boundary against any party that can read the public repository.

An attacker who obtains an encrypted session cookie — through network interception on plaintext HTTP, a malicious browser extension, cross-site scripting, log exposure, or a shared workstation — can take the cookie offline. Using the publicly known key, they decrypt the cookie locally and read the embedded AccessAuthCode. That code can then be replayed to authenticate to the target SiYuan instance, granting full access to the victim's notebooks and stored data.

Root Cause

The root cause is the use of a hardcoded cryptographic key for the session store. Cookie encryption only protects confidentiality when the signing and encryption key is unique per deployment and kept secret. Embedding the key in source code violates both requirements and effectively reduces cookie protection to obfuscation.

Attack Vector

Exploitation requires network access to a victim's session cookie but no prior authentication or user interaction. After capturing the cookie, the attacker performs the decryption offline and then issues authenticated requests to the SiYuan server.

No verified public exploit code is available. See the GitHub Security Advisory GHSA-f7ph-rc3w-qp28 for vendor technical details.

Detection Methods for CVE-2025-68948

Indicators of Compromise

• Authentication events for a single SiYuan user originating from multiple IP addresses or geographies within a short window.
• Requests to authenticated SiYuan endpoints carrying a valid session cookie but lacking the preceding login flow.
• Anomalous export, bulk read, or configuration changes shortly after a cookie is observed traversing untrusted networks.

Detection Strategies

• Inspect web server and reverse proxy logs for reuse of the same SiYuan session cookie value across distinct client fingerprints or IPs.
• Alert on SiYuan running on networks that allow plaintext HTTP, since cookies traversing HTTP are trivially captured.
• Review SiYuan instance version banners across the environment and flag any node still running 3.5.1 or earlier.

Monitoring Recommendations

• Forward SiYuan access logs and the fronting reverse proxy logs into a centralized analytics platform for correlation.
• Monitor for sudden changes to the AccessAuthCode configuration or repeated failed-then-successful access patterns.
• Track outbound connections from SiYuan hosts to detect data staging after a successful session takeover.

How to Mitigate CVE-2025-68948

Immediate Actions Required

• Upgrade SiYuan to the version released after 3.5.1 that addresses GHSA-f7ph-rc3w-qp28.
• Rotate the AccessAuthCode on every affected SiYuan instance after upgrading, and invalidate all existing sessions.
• Place SiYuan behind HTTPS with HSTS to prevent cookie interception on the wire.
• Restrict SiYuan exposure to trusted networks or a VPN when public exposure is not required.

Patch Information

The maintainers documented the issue in the SiYuan GitHub Security Advisory GHSA-f7ph-rc3w-qp28. Apply the fixed release identified in that advisory. After upgrading, regenerate the session secret if the deployment exposes a configuration option for it, and force re-authentication of all users.

Workarounds

• Terminate SiYuan only behind a TLS-enforcing reverse proxy and disable any plaintext HTTP listener.
• Restrict access to the SiYuan port using firewall rules so cookies cannot be intercepted by untrusted networks.
• Set a strong, unique AccessAuthCode and rotate it on a defined schedule until the patched version is deployed.

# Example NGINX hardening for a SiYuan reverse proxy
server {
    listen 443 ssl http2;
    server_name siyuan.example.com;

    ssl_certificate     /etc/ssl/certs/siyuan.crt;
    ssl_certificate_key /etc/ssl/private/siyuan.key;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    add_header X-Frame-Options DENY always;

    location / {
        proxy_pass http://127.0.0.1:6806;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_cookie_flags ~ Secure HttpOnly SameSite=Strict;
    }
}

# Redirect any plaintext request to HTTPS
server {
    listen 80;
    server_name siyuan.example.com;
    return 301 https://$host$request_uri;
}