CVE-2025-56760

Vulnerability

Overview

CVE-2025-56760 affects Memos version 0.22 when configured to store objects locally. The vulnerability resides in the CreateResource endpoint, which fails to sanitize user-supplied filenames. An attacker can include path traversal sequences (e.g., ../) in the resource name, enabling arbitrary file write outside the intended upload directory [1][2].

Exploitation

To exploit this vulnerability, an attacker must be an authenticated user of the Memos instance. No additional privileges are required beyond standard user authentication. By crafting a malicious filename containing path traversal sequences, the attacker can write files to arbitrary locations on the server filesystem [1][2]. The endpoint does not perform authorization checks on the upload path, allowing any authenticated user to write files outside the designated storage directory [1].

Impact

Successful exploitation allows an attacker to write arbitrary files on the server. This can lead to remote code execution, data corruption, or complete server compromise. The vulnerability is particularly severe because it can be chained with other issues, such as stored XSS, to escalate privileges and achieve full platform takeover [1].

Mitigation

As of the publication date, the Memos maintainers have not responded to responsible disclosure, and no official patch has been released. Organizations running Memos 0.22 are advised to restrict access to trusted users only and monitor for updates from the project [1]. The vulnerability was disclosed under a 90-day disclosure policy [1].