CVE-2025-68948
Hardcoded Key in SiYuan Note Enables Session Hijacking
Publication date: 2025-12-27
Last updated on: 2025-12-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| siyuan | siyuan_note | 3.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the SiYuan Note application uses a hardcoded cryptographic secret for its session store in versions 3.5.1 and prior. This makes the session encryption ineffective. An attacker who intercepts or obtains a user's encrypted session cookie can decrypt it locally using the public key, retrieve the sensitive AccessAuthCode in plain text, and then use it to authenticate or take over the user's session.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to hijack a user's session by decrypting the session cookie and obtaining the AccessAuthCode. This can lead to unauthorized access to the user's account and potentially allow the attacker to perform actions on behalf of the user within the SiYuan Note application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability leads to the exposure of sensitive authentication credentials (AccessAuthCode) due to the use of a hardcoded cryptographic key, resulting in potential unauthorized access and full account takeover. Such exposure and unauthorized access to personal or sensitive data can violate data protection requirements under standards like GDPR and HIPAA, which mandate the protection of personal data and secure authentication mechanisms. Therefore, this vulnerability negatively impacts compliance with these regulations by compromising data confidentiality and user authentication security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by capturing and analyzing SiYuan Note session cookies to check if they are encrypted with the known hardcoded cryptographic key. A proof-of-concept (PoC) script is available that demonstrates how to decrypt the session cookie using the hardcoded key. To detect exploitation or presence, you can capture network traffic containing session cookies (e.g., using tools like tcpdump or Wireshark) and then run the PoC script against the captured cookies to see if the AccessAuthCode can be decrypted. Example commands include: 1) Capture HTTP traffic with session cookies: tcpdump -i <interface> -w capture.pcap port 80 or 443 2) Extract cookies from capture using Wireshark or tshark 3) Run the PoC decryption script (provided in the advisory) on the extracted cookies to verify if the AccessAuthCode can be decrypted. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the SiYuan Note application to version 3.5.2 or later, where the hardcoded cryptographic key issue has been fixed. This update removes the use of the static, publicly accessible encryption key and properly secures session cookies. Additionally, avoid using unencrypted networks to prevent session hijacking, and consider invalidating existing sessions to prevent reuse of compromised cookies. [1]