CVE Vulnerabilities

CVE-2025-21609

Incomplete Cleanup

Published: Jan 03, 2025 | Modified: May 14, 2025
CVSS 3.x
9.1
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

Weakness

The product does not properly “clean up” and remove temporary or supporting resources after they have been used.

Affected Software

Name Vendor Start Version End Version
Siyuan B3log 3.1.18 (including) 3.1.18 (including)

Potential Mitigations

References