Note Mark Arbitrary File Write via Path Traversal Leads to Remote Code Execution

Note Mark versions 0.19.2 and earlier contain an arbitrary file write vulnerability that leads to remote code execution. Authenticated users can upload assets to notes via POST /api/notes/{noteID}/assets, with the asset filename taken directly from the X-Name HTTP header. The application fails to sanitize this filename, storing it directly in the database. When an administrator subsequently runs the data export CLI commands (note-mark migrate export-v1 or note-mark migrate export), the stored asset name is passed into filepath.Join() calls. An attacker-controlled asset name containing directory traversal sequences (e.g., ../) allows writing files to arbitrary locations, which can be escalated to RCE by overwriting system binaries, such as /bin/bash. The vulnerability is present in Note Mark’s backend component.

Attack Chain

1. Attacker registers an account and authenticates to the Note Mark application.
2. Attacker creates a notebook using a POST request to /api/books.
3. Attacker creates a note within the notebook using a POST request to /api/books/<BOOK_ID>/notes.
4. Attacker uploads an asset with a malicious payload and a path traversal filename in the X-Name header to /api/notes/<NOTE_ID>/assets. The X-Name header contains a path traversal sequence targeting a sensitive file like /bin/bash.
5. The application stores the unsanitized filename (including the path traversal) in the database.
6. An administrator triggers a data export using note-mark migrate export-v1 --export-dir /data/backup or note-mark migrate export.
7. The export process uses the unsanitized filename in filepath.Join(), causing a file to be written to the attacker-specified location (e.g., overwriting /bin/bash).
8. The next time bash is invoked, the attacker’s payload executes, resulting in code execution as root.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system with root privileges, leading to complete system compromise. Overwriting /bin/bash results in RCE the next time any user invokes bash. The number of affected installations is unknown, but the vulnerability exists in version 0.19.2 and earlier.

Recommendation

• Deploy the Sigma rule to detect asset uploads with path traversal sequences in the X-Name header.
• Apply filepath.Base() to the X-Name header value in backend/handlers/assets.go before storing it in the database, as described in the advisory.
• Apply filepath.Base() to asset.Name in backend/cli/migrate.go at lines 328 and 223 before using it in file path construction.
• Upgrade to a patched version of Note Mark which addresses CVE-2026-44522.