CVE-2025-56761 – Memos 0.22 has a stored XSS vulnerability in up... (How to Fix)

Q: What is the severity of CVE-2025-56761?

CVE-2025-56761 has a CVSS score of 5.4 (MEDIUM). Memos 0.22 has a stored XSS vulnerability in upload attachment and user avatar features where uploaded content isn't validated before being served back. Authenticated attackers can inject malicious scripts that execute when viewed by administrators, potentially leading to privilege escalation. Only Memos instances running vulnerable versions with authenticated user access are affected.

📋 TL;DR

Memos 0.22 has a stored XSS vulnerability in upload attachment and user avatar features where uploaded content isn't validated before being served back. Authenticated attackers can inject malicious scripts that execute when viewed by administrators, potentially leading to privilege escalation. Only Memos instances running vulnerable versions with authenticated user access are affected.

💻 Affected Systems

Products:

Memos

Versions: 0.22 and possibly earlier versions up to the fix

Operating Systems: All platforms running Memos

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit; admin viewing of malicious content triggers the attack.

📦 What is this software?

Memos by Usememos

View all CVEs affecting Memos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full system takeover, data exfiltration, or deployment of additional malware.

🟠

Likely Case

Session hijacking, credential theft, or limited privilege escalation within the Memos application.

🟢

If Mitigated

Isolated script execution with minimal impact due to proper content security policies and input validation.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but exposed instances are vulnerable to targeted attacks.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and social engineering/admin interaction to trigger the stored XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.24.0 or later (references show fixes in 0.24.0 and 0.24.4)

Vendor Advisory: https://github.com/usememos/memos/security/advisories

Restart Required: No

Instructions:

1. Backup your Memos data. 2. Update to Memos version 0.24.0 or later. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Disable file uploads

all

Temporarily disable attachment and avatar upload features to prevent exploitation.

Modify Memos configuration to disable file upload functionality

Implement Content Security Policy

all

Add strict CSP headers to limit script execution from untrusted sources.

Add 'Content-Security-Policy' header with script-src 'self' directive

🧯 If You Can't Patch

Restrict user upload permissions to trusted administrators only
Implement web application firewall rules to block suspicious upload patterns

🔍 How to Verify

Check if Vulnerable:

Check if running Memos version 0.22 or earlier; review if file uploads bypass content type validation.

Check Version:

Check Memos web interface settings or run the memos binary with version flag

Verify Fix Applied:

Confirm Memos version is 0.24.0 or later; test file uploads with malicious content to ensure proper validation.

📡 Detection & Monitoring

Log Indicators:

Unusual file upload patterns
Multiple failed upload attempts with suspicious filenames
Admin account accessing unexpected uploaded files

Network Indicators:

HTTP requests with suspicious file uploads containing script tags
Unusual outbound connections from admin sessions

SIEM Query:

source="memos.log" AND ("upload" OR "attachment") AND ("script" OR "javascript" OR "onerror")

📊 Metadata

CVE ID: CVE-2025-56761

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.6th percentile)

Published: September 3, 2025

Last Updated: September 9, 2025

🔗 References

https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/user_service.go#L147 Product
https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48 Product
https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/ Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56761, you might also want to check these: