CVE-2025-21609

Name of the Vulnerable Software and Affected Versions SiYuan Note version 3.1.18

Description SiYuan Note is self-hosted, open source personal knowledge management software. The software has an arbitrary file deletion vulnerability that exists in the POST /api/history/getDocHistoryContent endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. The vulnerability can be reproduced by sending a crafted request to the /api/history/getDocHistoryContent endpoint, where the historyPath parameter in the payload is processed and can lead to file deletion if it does not satisfy certain conditions.

Recommendations For SiYuan Note version 3.1.18, upgrade to version 3.1.19, which is expected to include the fix for this vulnerability. As a temporary workaround, consider restricting access to the POST /api/history/getDocHistoryContent endpoint until the upgrade is applied. Additionally, avoid using the historyPath parameter in the affected API endpoint until the issue is resolved.