Cyber Resilience

CVE-2025-21609

HighPublic PoC

Published: 03 January 2025

Published
03 January 2025
Modified
14 May 2025
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 59.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21609 is a high-severity Incomplete Cleanup (CWE-459) vulnerability in B3Log Siyuan. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-10 (Information Input Validation).

Deeper analysis

SiYuan Note version 3.1.18, a self-hosted open source personal knowledge management software, contains an arbitrary file deletion vulnerability identified as CVE-2025-21609. The issue resides in the POST /api/history/getDocHistoryContent endpoint, where an attacker can craft a malicious payload to delete arbitrary files on the affected server. This flaw is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-459 (Incomplete Cleanup) and CWE-552 (Files or Directories Accessible to External Parties).

The vulnerability enables exploitation by unauthenticated remote attackers over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to delete any file on the server, potentially disrupting service availability and compromising data integrity without affecting confidentiality.

Mitigation is addressed in commit d9887aeec1b27073bec66299a9a4181dc42969f3 from the SiYuan GitHub repository, which resolves the issue and is expected to appear in version 3.1.19. Additional details are available in the GitHub Security Advisory at GHSA-8fx8-pffw-w498. Security practitioners should update to the patched version and review access to the affected endpoint.

EU & UK References

Vulnerability details

SiYuan is self-hosted, open source personal knowledge management software. SiYuan Note version 3.1.18 has an arbitrary file deletion vulnerability. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint. An attacker can craft a payload to exploit this vulnerability, resulting in the…

more

deletion of arbitrary files on the server. Commit d9887aeec1b27073bec66299a9a4181dc42969f3 fixes this vulnerability and is expected to be available in version 3.1.19.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Public API endpoint allows unauthenticated remote arbitrary file deletion, directly enabling T1190 (exploit public-facing app) for access and T1485 (data destruction) for impact on integrity/availability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40259Same product: B3Log Siyuan
CVE-2026-32749Same product: B3Log Siyuan
CVE-2026-34605Same product: B3Log Siyuan
CVE-2026-34453Same product: B3Log Siyuan
CVE-2026-32767Same product: B3Log Siyuan
CVE-2026-29073Same product: B3Log Siyuan
CVE-2026-32940Same product: B3Log Siyuan
CVE-2026-25992Same product: B3Log Siyuan
CVE-2026-23850Same product: B3Log Siyuan
CVE-2026-32938Same product: B3Log Siyuan

Affected Assets

b3log
siyuan
3.1.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of identified flaws, such as applying the patch from commit d9887aeec1b27073bec66299a9b4181dc42969f3 to fix the arbitrary file deletion vulnerability in SiYuan 3.1.18.

prevent

Mandates validation of all information inputs to the /api/history/getDocHistoryContent endpoint to block crafted payloads that enable arbitrary file deletion.

prevent

Enforces identification and authentication for non-organizational users to prevent unauthenticated remote attackers from exploiting the vulnerable endpoint.

References