{"id":24636,"date":"2025-12-05T12:52:21","date_gmt":"2025-12-05T11:52:21","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=24636"},"modified":"2025-12-10T14:51:16","modified_gmt":"2025-12-10T13:51:16","slug":"usd-2025-0060","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2025-0060\/","title":{"rendered":"usd-2025-0060"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.27.4\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n

usd-2025-60 | Broken Access Control in Memo Reactions<\/h1>\n

<\/h1>\n

Product<\/strong>: memos
Affected Version<\/strong>: v0.25.2
Vulnerability Type<\/strong>: CWE-862: Missing Authorization
Security Risk<\/strong>: Low
Vendor<\/strong>: usememos
Vendor URL<\/strong>: https:\/\/github.com\/usememos\/memos<\/a>
Vendor acknowledged vulnerability<\/strong>: Yes
Vendor Status<\/strong>: Fixed
CVE Number<\/strong>: CVE-2025-65796
CVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2025-65796<\/a>
Advisory ID<\/strong>: usd-2025-60<\/p>\n

Description<\/h3>\n

Memos is a lightweight, self-hosted knowledge management and note-taking platform designed for personal use. The architecture features a Go backend paired with a React+Vite frontend, using gRPC for internal communication and providing REST API access through gRPC-Gateway. It supports multiple database backends (SQLite, MySQL, PostgreSQL) and includes features like file attachments, OAuth\/SSO integration, activity logging, and internationalization.<\/p>\n

An authenticated, low-privileged attacker can delete arbitrary reactions made to other user's Memos.<\/p>\n

Proof of Concept<\/h3>\n

The following HTTP request can be used by low-privileged users to delete arbitrary reactions.<\/p>\n

\n
<\/span>DELETE<\/span> \/api\/v1\/reactions\/<NumericIdOfReaction><\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> memos:5230<\/span>\nCookie<\/span>:<\/span> user_session=3-3a[... REDACTED ...]79<\/span>\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
Fixes for all mentioned vulnerabilities have been submitted as pull request<\/a>.<\/p>\n
References<\/h3>\n