An arbitrary file write vulnerability in SiYuan allows authenticated users to achieve Remote Code Execution by overwriting critical system files such as cron jobs or SSH keys.

The vulnerability is located in the /api/file/copyFile endpoint, where the dest parameter lacks proper validation. This allows an authenticated attacker to perform a path traversal attack to write files into sensitive directories, such as shell configuration files or authorized_keys.

While the attack requires authentication, the impact is critical (CVSS 9.1) as it facilitates full system compromise. An attacker could gain persistent access to the server, leading to the total loss of data integrity and confidentiality. This could result in the exposure of private knowledge bases and lateral movement within the corporate network.

Immediate Action: Update the SiYuan installation to version 3.5.5 or higher immediately to apply the necessary input validation patches.

Proactive Monitoring: Review system-level logs for unauthorized modifications to sensitive files like /etc/crontab, ~/.ssh/authorized_keys, and shell profiles.

Compensating Controls: Restrict access to the SiYuan API to trusted networks and implement the principle of least privilege for the user account running the SiYuan service.

Public Exploit Available: false

The ability to write to arbitrary filesystem locations is a high-risk condition. Organizations should enforce immediate updates to version 3.5.5 and audit the server for any signs of unauthorized persistence mechanisms.