CVE-2026-25992

HIGH7.5EPSS 0.09%

SiYuan File Read API Case Sensitivity Bypass can Lead to Path Traversal

Published: 1/28/2026Modified: 2/10/2026
Also known as:GHSA-f72r-2h5j-7639GO-2026-4386

Description

# File Read Interface Case Bypass Vulnerability ## Vulnerability Name File Read Interface Case Bypass Vulnerability ## Overview The `/api/file/getFile` endpoint uses **case-sensitive string equality checks** to block access to sensitive files. On case-insensitive file systems such as **Windows**, attackers can bypass restrictions using mixed-case paths and read protected configuration files. ## Impact - Read sensitive information in configuration files (e.g., access codes, API Tokens, sync configurations, etc.). - Remotely exploitable directly when the service is published without authentication. ## Trigger Conditions - Running on a **case-insensitive file system**. - The caller can access `/api/file/getFile` (via CheckAuth or Token injection in published services). ## PoC (Generic Example) After enabling publication: **Request:** ```http POST /api/file/getFile Content-Type: application/json {"path":"cOnf/conf.json"} ``` **Expected Result:** - Successfully return the content of the configuration file. ## Root Cause Path comparison uses strict case-sensitive string matching, without case normalization or identical file validation. ## Fix Recommendations - Normalize path casing before comparison (Windows/macOS). - Use file-level comparison methods such as `os.SameFile`. - Apply blacklist validation on sensitive paths **after case normalization**. ## Notes - Environment identifiers and sensitive information have been removed. ## Solution Commit `399a38893e8719968ea2511e177bb53e09973fa6`

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)