<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>SiYuan Knowledge Management System - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/siyuan-knowledge-management-system/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/siyuan-knowledge-management-system/feed.xml" rel="self" type="application/rss+xml"/><item><title>SiYuan Knowledge Management System RCE via Mermaid Diagram Injection</title><link>https://feed.craftedsignal.io/briefs/2024-01-siyuan-rce/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-siyuan-rce/</guid><description>SiYuan versions 3.6.3 and below are vulnerable to arbitrary code execution due to insecure rendering of Mermaid diagrams, allowing injected javascript: URLs within Mermaid code blocks to execute arbitrary code when a victim opens a note containing a malicious Mermaid block and clicks the rendered diagram node.</description><content:encoded><![CDATA[<p>SiYuan, an open-source personal knowledge management system, is susceptible to arbitrary code execution in versions 3.6.3 and below. The vulnerability stems from the insecure rendering of Mermaid diagrams, a feature used for creating visual representations. Specifically, the application renders Mermaid diagrams with <code>securityLevel</code> set to &quot;loose&quot;, injecting the resulting SVG directly into the DOM using <code>innerHTML</code>. This insecure approach allows attacker-controlled <code>javascript:</code> URLs within Mermaid code blocks to persist in the rendered output. On desktop builds leveraging Electron, the application creates windows with <code>nodeIntegration</code> enabled and <code>contextIsolation</code> disabled. Consequently, when a user opens a note containing a malicious Mermaid block and interacts with the rendered diagram, the stored cross-site scripting (XSS) vulnerability escalates to arbitrary code execution. Users are advised to upgrade to version 3.6.4, which addresses this security flaw.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious SiYuan note containing a Mermaid diagram.</li>
<li>The Mermaid diagram includes a code block with a <code>javascript:</code> URL. Example: <code>mermaid graph LR; A[Click me] --&gt; B((Malicious Node)); click A &quot;javascript:require('child_process').exec('calc.exe');&quot; </code></li>
<li>The attacker saves the malicious note within SiYuan.</li>
<li>The victim opens the malicious note in the SiYuan desktop application (version 3.6.3 or earlier).</li>
<li>SiYuan renders the Mermaid diagram with <code>securityLevel</code> set to &quot;loose&quot;, injecting the SVG into the DOM via <code>innerHTML</code>.</li>
<li>The malicious <code>javascript:</code> URL is embedded within the rendered SVG.</li>
<li>The victim clicks on the rendered diagram node.</li>
<li>Due to <code>nodeIntegration</code> being enabled and <code>contextIsolation</code> being disabled in the Electron environment, the <code>javascript:</code> URL executes arbitrary code, effectively achieving remote code execution on the victim's machine.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows attackers to execute arbitrary code on a victim's machine. This can lead to complete system compromise, including data theft, malware installation, and unauthorized access to sensitive information stored within the SiYuan knowledge base or elsewhere on the system. Given that SiYuan is often used to store personal and professional notes, the impact could be substantial for affected users. The vulnerability affects any user running SiYuan version 3.6.3 or earlier on a desktop system.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade SiYuan to version 3.6.4 or later to patch the vulnerability (CVE-2026-40322).</li>
<li>Deploy the Sigma rule &quot;Detect Suspicious SiYuan Mermaid Diagram Execution&quot; to identify potential exploitation attempts.</li>
<li>Monitor process creation events for unexpected child processes spawned from SiYuan, especially those related to command execution (e.g., <code>cmd.exe</code>, <code>powershell.exe</code>).</li>
<li>If upgrading is not immediately possible, consider disabling the Mermaid diagram rendering feature within SiYuan as a temporary workaround.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>siyuan</category><category>mermaid</category><category>rce</category><category>xss</category><category>electron</category></item></channel></rss>