usd-2025-60 | Broken Access Control in Memo Reactions

Product: memos
Affected Version: v0.25.2
Vulnerability Type: CWE-862: Missing Authorization
Security Risk: Low
Vendor: usememos
Vendor URL: https://github.com/usememos/memos
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed
CVE Number: CVE-2025-65796
CVE Link: https://www.cve.org/CVERecord?id=CVE-2025-65796
Advisory ID: usd-2025-60

Description

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth/SSO integration, activity logging, and internationalization.

An authenticated, low-privileged attacker can delete arbitrary reactions made to other user's Memos.

Proof of Concept

The following HTTP request can be used by low-privileged users to delete arbitrary reactions.

DELETE /api/v1/reactions/<NumericIdOfReaction> HTTP/1.1
Host: memos:5230
Cookie: user_session=3-3a[... REDACTED ...]79

Fix

Fixes for all mentioned vulnerabilities have been submitted as pull request.

References

https://owasp.org/www-community/Broken_Access_Control

Timeline

2025-11-03: First contact request
2025-11-04: Pull request submitted
2025-11-06: Commit merged to main by vendor
2025-11-25: Version 0.25.3 was released
2025-12-03: This advisory is published

Credits

This security vulnerability was identified by Florian Dewald of usd AG.

usd-2025-60 | Broken Access Control in Memo Reactions

Description

Proof of Concept

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

Contact

Follow Us

LabNews

Write-Up Registration Challenge Hacker Contest Summer 2025

From Unicode to Exploit: The Security Risks of Overlong UTF-8 Encodings

Security Advisories on hugocms and Gitea