CVE-2025-21609
Published: 03 January 2025
Summary
CVE-2025-21609 is a critical-severity Incomplete Cleanup (CWE-459) vulnerability in B3Log Siyuan. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, such as applying the patch from commit d9887aeec1b27073bec66299a9b4181dc42969f3 to fix the arbitrary file deletion vulnerability in SiYuan 3.1.18.
Mandates validation of all information inputs to the /api/history/getDocHistoryContent endpoint to block crafted payloads that enable arbitrary file deletion.
Enforces identification and authentication for non-organizational users to prevent unauthenticated remote attackers from exploiting the vulnerable endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public API endpoint allows unauthenticated remote arbitrary file deletion, directly enabling T1190 (exploit public-facing app) for access and T1485 (data destruction) for impact on integrity/availability.
NVD Description
SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the…
more
deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.
Deeper analysisAI
SiYuan Note version 3.1.18, a self-hosted open source personal knowledge management software, contains an arbitrary file deletion vulnerability identified as CVE-2025-21609. The issue resides in the POST /api/history/getDocHistoryContent endpoint, where an attacker can craft a malicious payload to delete arbitrary files on the affected server. This flaw is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-459 (Incomplete Cleanup) and CWE-552 (Files or Directories Accessible to External Parties).
The vulnerability enables exploitation by unauthenticated remote attackers over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to delete any file on the server, potentially disrupting service availability and compromising data integrity without affecting confidentiality.
Mitigation is addressed in commit d9887aeec1b27073bec66299a9a4181dc42969f3 from the SiYuan GitHub repository, which resolves the issue and is expected to appear in version 3.1.19. Additional details are available in the GitHub Security Advisory at GHSA-8fx8-pffw-w498. Security practitioners should update to the patched version and review access to the affected endpoint.
Details
- CWE(s)