CVE-2025-67488 in SiYuan
Summary
by MITRE • 12/10/2025
SiYuan is self-hosted, open source personal knowledge management software. Versions 0.0.0-20251202123337-6ef83b42c7ce and below contain function importZipMd which is vulnerable to ZipSlips, allowing an authenticated user to overwrite files on the system. An authenticated user with access to the import functionality in notes is able to overwrite any file on the system, and can escalate to full code execution under some circumstances. A fix is planned for version 3.5.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/30/2026
The vulnerability CVE-2025-67488 affects SiYuan, a self-hosted open source personal knowledge management software that enables users to organize and manage their digital information. This particular flaw resides within the function importZipMd which handles zip file imports, creating a critical security risk for systems running affected versions of the software. The vulnerability is classified as a ZipSlip attack vector, which represents a well-known class of archive extraction vulnerabilities that have been documented under CWE-598 and are commonly associated with the MITRE ATT&CK framework under the technique T1059.007 for command and scripting interpreter. The specific nature of this vulnerability allows authenticated users with access to the import functionality to manipulate file paths during zip extraction, enabling them to overwrite arbitrary files on the target system.
The technical implementation of this vulnerability exploits the insecure handling of file paths within zip archives during the import process. When the system processes zip files containing specially crafted path entries such as ../etc/passwd or ../../windows/system32/cmd.exe, the application fails to properly validate or sanitize these paths before extraction. This allows an attacker to traverse the file system hierarchy and write files to locations outside the intended extraction directory. The vulnerability specifically affects versions up to and including 0.0.0-20251202123337-6ef83b42c7ce, making a large portion of the software's user base potentially susceptible to exploitation. The impact extends beyond simple file overwrites, as the ability to place malicious files in critical system directories can lead to privilege escalation and full system compromise under certain conditions.
The operational impact of this vulnerability is severe for organizations relying on SiYuan for knowledge management, particularly those with multiple users or shared systems where authentication mechanisms may not be sufficiently restrictive. An authenticated user with access to note import functionality can leverage this vulnerability to gain unauthorized control over system files, potentially leading to data exfiltration, system disruption, or complete compromise of the hosting environment. The vulnerability's exploitation does not require special privileges beyond authentication access to the application, making it particularly dangerous in environments where user access controls are not properly enforced. The potential for code execution escalation means that attackers could deploy malicious payloads, establish persistent backdoors, or modify system binaries to maintain long-term access to compromised systems. Organizations using SiYuan in production environments should consider this vulnerability as a high-priority concern requiring immediate attention.
The recommended mitigation strategy involves upgrading to version 3.5.0 or later, which contains the planned fix for this vulnerability. Until such an upgrade is possible, administrators should implement additional security controls including restricting user access to the import functionality, monitoring zip file imports for suspicious path patterns, and implementing network segmentation to limit potential damage from exploitation. The fix should address the root cause by implementing proper path validation and sanitization during zip file extraction, ensuring that all file paths are checked against a whitelist of allowed directories or properly normalized to prevent directory traversal attacks. Security teams should also consider deploying intrusion detection systems capable of identifying attempts to exploit ZipSlip vulnerabilities, and conduct regular security assessments to verify that the application is properly configured to prevent such attacks. The vulnerability highlights the importance of secure coding practices in archive handling functions and demonstrates how seemingly simple functionality can present significant security risks when not properly validated.