siyuan-electron-rce-pushmsg

SiYuan desktop notifications allow Electron RCE via POST /api/notification/pushMsg — a nasty local code execution risk

What happened

The weirdest detail is the notification sink, POST /api/notification/pushMsg, which accepts a user-controlled msg value and forwards it through the backend broadcast layer, then renders it as raw HTML in the Electron renderer. Since desktop builds of SiYuan were created with nodeIntegration set to true, contextIsolation set to false and webSecurity disabled, that rendered HTML can call Node APIs and escalate to desktop code execution.

SiYuan, a personal knowledge management system, is affected in desktop versions before 3.6.5. The vulnerability allows script delivered via the notification path to execute with the same privileges as the app, and the vendor fixed the issue in 3.6.5. When the flaw was reported, the fix was published, but details about active exploitation or the discovery timeline have not been disclosed.

Why this matters to businesses

Although SiYuan bills itself as a personal tool, businesses often end up with shadow-deployed apps on employee machines, so this matters beyond a single laptop. If an attacker can get a notification to a user, they can run code on that endpoint, access files, and read any local secrets the app can reach, for example cached tokens or local configuration.

Following the obvious, this is a reminder: patch later thinking will bite you. Shared accounts, privileged local services and writable developer flags in production are the usual accelerants to this type of compromise.

If you’ve got the same weakness, here’s what happens next

If your fleet runs the vulnerable SiYuan build, a successful exploit gives an attacker arbitrary desktop code execution under the app user. From there, the realistic next steps are file theft, credential scraping, implant persistence, and attempts to move laterally using any tokens or credentials stored on that machine. Quiet persistence is the scary part, because it often looks like normal user activity until someone notices unusual outbound connections or strange processes.

Since the vector is a broadcasted notification, a single compromised sender or a misconfigured server component can multiply impact quickly across devices that subscribe to the same feed.

What to do on Monday morning

• Update SiYuan clients to 3.6.5 immediately where you use the desktop app.
• Audit your notification infrastructure and restrict who can send push messages, add authentication and rate limits, and validate inputs server-side to reject HTML or script payloads.
• Harden Electron builds by disabling nodeIntegration, enabling contextIsolation and keeping webSecurity enabled, then rebuild and redeploy the app to users.
• Search logs for POST /api/notification/pushMsg activity and for unusual broadcast messages, then scope any suspicious deliveries to identify affected endpoints.
• Check local machines for unexpected processes, new autoruns and dumped credentials, and isolate any compromised hosts for forensic capture.
• Rotate any secrets or tokens that might have been accessible to the app, and reissue credentials if you suspect exposure.
• Ensure backup and imaging processes are intact so you can rebuild clean endpoints without long delays.

Where ISO standards fit, without the sales pitch

An ISO 27001 aligned management system reduces the odds of this turning into a wider crisis, because change control and secure development requirements make dangerous build flags less likely to reach production. If you want a concise primer on how ISO practices help, see what ISO 27001 covers.

For smaller organisations that want baseline assurance, IASME-style controls help you stop obvious stuff quickly, like ensuring apps don’t run with unnecessary local privileges and that vendor updates are tracked, see IASME baseline controls.

When endpoint continuity matters, for example if many staff rely on the same desktop app, tie your recovery plans back to business continuity playbooks so you can rapidly rebuild devices and restore service, see business continuity guidance.

Finally, include secure development checks for Electron apps in supplier assessments and SDLC gates, so unsafe flags like nodeIntegration true are flagged before a release reaches users.

SiYuan is a single product, but the lesson is general: treat desktop apps as networked services and harden their messaging paths now, not later.