Login Sign Up

CVE-2025-22952

9.8 CRITICAL
SSRF

📋 TL;DR

CVE-2025-22952 is a Server-Side Request Forgery (SSRF) vulnerability in elestio memos v0.23.0 that allows attackers to make unauthorized requests from the server to internal or external systems. This affects all deployments running the vulnerable version, potentially exposing internal network resources or enabling data exfiltration.

💻 Affected Systems

Products:
  • elestio memos
Versions: v0.23.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of memos v0.23.0 are vulnerable regardless of configuration.

📦 What is this software?

Memos by Usememos

View all CVEs affecting Memos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to other systems within the network, potentially leading to full network compromise.

🟠

Likely Case

Unauthorized access to internal HTTP services, metadata services (like AWS/Azure instance metadata), or local file inclusion via file:// protocol.

🟢

If Mitigated

Limited to accessing only allowed external resources if proper URL validation and network segmentation are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the memos application. The vulnerability is in URL validation logic when processing user-supplied URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v0.23.1 or later

Vendor Advisory: https://github.com/usememos/memos/issues/4413

Restart Required: Yes

Instructions:

1. Backup your memos data. 2. Stop the memos service. 3. Update to v0.23.1 or later using your deployment method (Docker, binary, etc.). 4. Restart the service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict outbound network access from the memos server to only necessary external services

Use firewall rules to block outbound HTTP/HTTPS from memos server except to required external APIs

Input Validation

all

Implement additional URL validation at the application layer or WAF

Configure WAF rules to block SSRF patterns and internal IP ranges

🧯 If You Can't Patch

  • Implement strict network egress filtering to prevent access to internal IP ranges and metadata services
  • Deploy a WAF with SSRF protection rules in front of the application

🔍 How to Verify

Check if Vulnerable:

Check if running memos v0.23.0 by accessing the web interface or checking the container/binary version

Check Version:

docker exec memos-container cat /app/version.txt || check web interface footer

Verify Fix Applied:

Confirm version is v0.23.1 or later and test URL validation functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual outbound HTTP requests from memos server
  • Requests to internal IP addresses or metadata services

Network Indicators:

  • HTTP traffic from memos server to unexpected internal/external destinations

SIEM Query:

source="memos" AND (dest_ip IN (RFC1918_RANGES) OR dest_host LIKE "metadata.*")

📊 Metadata

CVE ID: CVE-2025-22952
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918
EPSS Score: 34.98% exploit probability (96.9th percentile)
Published: February 27, 2025
Last Updated: July 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22952, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)