Moderate severityNVD Advisory· Published Apr 19, 2024· Updated Aug 7, 2024
memos vulnerable to an SSRF in /o/get/httpmeta
CVE-2024-29028
Description
memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/httpmeta that allows unauthenticated users to enumerate the internal network and receive limited html values in json form. This vulnerability is fixed in 0.16.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/usememos/memosGo | < 0.16.1 | 0.16.1 |
Affected products
1Patches
16ffc09d86a13chore: remove unused httpmeta getter api
4 files changed · +827 −877
api/v1/docs.go+14 −54 modified@@ -1891,40 +1891,6 @@ const docTemplate = `{ } } }, - "/o/get/GetWebsiteMetadata": { - "get": { - "produces": [ - "application/json" - ], - "tags": [ - "get" - ], - "summary": "Get website metadata", - "parameters": [ - { - "type": "string", - "description": "Website URL", - "name": "url", - "in": "query", - "required": true - } - ], - "responses": { - "200": { - "description": "Extracted metadata", - "schema": { - "$ref": "#/definitions/getter.HTMLMeta" - } - }, - "400": { - "description": "Missing website url | Wrong url" - }, - "406": { - "description": "Failed to get website meta with url: %s" - } - } - } - }, "/o/r/{resourceId}": { "get": { "description": "*Swagger UI may have problems displaying other file types than images", @@ -2002,20 +1968,6 @@ const docTemplate = `{ } }, "definitions": { - "getter.HTMLMeta": { - "type": "object", - "properties": { - "description": { - "type": "string" - }, - "image": { - "type": "string" - }, - "title": { - "type": "string" - } - } - }, "github_com_usememos_memos_store.UserSetting": { "type": "object", "properties": { @@ -2033,6 +1985,14 @@ const docTemplate = `{ "profile.Profile": { "type": "object", "properties": { + "driver": { + "description": "Driver is the database driver\nsqlite, mysql", + "type": "string" + }, + "dsn": { + "description": "DSN points to where Memos stores its own data", + "type": "string" + }, "mode": { "description": "Mode can be \"prod\" or \"dev\" or \"demo\"", "type": "string" @@ -2139,8 +2099,11 @@ const docTemplate = `{ "id": { "type": "integer" }, + "parentID": { + "description": "Composed fields\nFor those comment memos, the parent ID is the memo ID of the memo being commented.\nIf the parent ID is nil, then this memo is not a comment.", + "type": "integer" + }, "pinned": { - "description": "Composed fields", "type": "boolean" }, "relationList": { @@ -2189,11 +2152,11 @@ const docTemplate = `{ "type": "string", "enum": [ "REFERENCE", - "ADDITIONAL" + "COMMENT" ], "x-enum-varnames": [ "MemoRelationReference", - "MemoRelationAdditional" + "MemoRelationComment" ] }, "store.Resource": { @@ -2406,9 +2369,6 @@ const docTemplate = `{ "filename": { "type": "string" }, - "internalPath": { - "type": "string" - }, "type": { "type": "string" }
api/v1/http_getter.go+0 −29 modified@@ -11,39 +11,10 @@ import ( ) func (*APIV1Service) registerGetterPublicRoutes(g *echo.Group) { - // GET /get/httpmeta?url={url} - Get website meta. - g.GET("/get/httpmeta", GetWebsiteMetadata) - // GET /get/image?url={url} - Get image. g.GET("/get/image", GetImage) } -// GetWebsiteMetadata godoc -// -// @Summary Get website metadata -// @Tags get -// @Produce json -// @Param url query string true "Website URL" -// @Success 200 {object} getter.HTMLMeta "Extracted metadata" -// @Failure 400 {object} nil "Missing website url | Wrong url" -// @Failure 406 {object} nil "Failed to get website meta with url: %s" -// @Router /o/get/GetWebsiteMetadata [GET] -func GetWebsiteMetadata(c echo.Context) error { - urlStr := c.QueryParam("url") - if urlStr == "" { - return echo.NewHTTPError(http.StatusBadRequest, "Missing website url") - } - if _, err := url.Parse(urlStr); err != nil { - return echo.NewHTTPError(http.StatusBadRequest, "Wrong url").SetInternal(err) - } - - htmlMeta, err := getter.GetHTMLMeta(urlStr) - if err != nil { - return echo.NewHTTPError(http.StatusNotAcceptable, fmt.Sprintf("Failed to get website meta with url: %s", urlStr)).SetInternal(err) - } - return c.JSON(http.StatusOK, htmlMeta) -} - // GetImage godoc // // @Summary Get GetImage from URL
api/v1/swagger.yaml+16 −36 modified@@ -1,14 +1,5 @@ basePath: / definitions: - getter.HTMLMeta: - properties: - description: - type: string - image: - type: string - title: - type: string - type: object github_com_usememos_memos_store.UserSetting: properties: key: @@ -20,6 +11,14 @@ definitions: type: object profile.Profile: properties: + driver: + description: |- + Driver is the database driver + sqlite, mysql + type: string + dsn: + description: DSN points to where Memos stores its own data + type: string mode: description: Mode can be "prod" or "dev" or "demo" type: string @@ -90,8 +89,13 @@ definitions: type: integer id: type: integer + parentID: + description: |- + Composed fields + For those comment memos, the parent ID is the memo ID of the memo being commented. + If the parent ID is nil, then this memo is not a comment. + type: integer pinned: - description: Composed fields type: boolean relationList: items: @@ -122,11 +126,11 @@ definitions: store.MemoRelationType: enum: - REFERENCE - - ADDITIONAL + - COMMENT type: string x-enum-varnames: - MemoRelationReference - - MemoRelationAdditional + - MemoRelationComment store.Resource: properties: blob: @@ -267,8 +271,6 @@ definitions: type: string filename: type: string - internalPath: - type: string type: type: string type: object @@ -1976,28 +1978,6 @@ paths: summary: Get GetImage from URL tags: - get - /o/get/GetWebsiteMetadata: - get: - parameters: - - description: Website URL - in: query - name: url - required: true - type: string - produces: - - application/json - responses: - "200": - description: Extracted metadata - schema: - $ref: '#/definitions/getter.HTMLMeta' - "400": - description: Missing website url | Wrong url - "406": - description: 'Failed to get website meta with url: %s' - summary: Get website metadata - tags: - - get /o/r/{resourceId}: get: description: '*Swagger UI may have problems displaying other file types than
docs/api/v1.md+797 −758 modified
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-6fcf-g3mp-xj2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29028ghsaADVISORY
- securitylab.github.com/advisories/GHSL-2023-154_GHSL-2023-156_memosghsax_refsource_MISCADVISORY
- github.com/usememos/memos/commit/6ffc09d86a1302c384ef085aa70c7bddb3ce7ba9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.