Moderate severityOSV Advisory· Published Dec 8, 2025· Updated Dec 8, 2025
CVE-2025-65799
CVE-2025-65799
Description
A lack of file name validation or verification in the Attachment service of usememos memos v0.25.2 allows attackers to execute a path traversal.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/usememos/memosGo | < 0.25.3 | 0.25.3 |
Affected products
1Patches
15f57f48673e2fix(security): validate attachment filenames (#5218)
1 file changed · +21 −0
server/router/api/v1/attachment_service.go+21 −0 modified@@ -64,6 +64,9 @@ func (s *APIV1Service) CreateAttachment(ctx context.Context, request *v1pb.Creat if request.Attachment.Filename == "" { return nil, status.Errorf(codes.InvalidArgument, "filename is required") } + if !validateFilename(request.Attachment.Filename) { + return nil, status.Errorf(codes.InvalidArgument, "filename contains invalid characters or format") + } if request.Attachment.Type == "" { return nil, status.Errorf(codes.InvalidArgument, "type is required") } @@ -325,6 +328,9 @@ func (s *APIV1Service) UpdateAttachment(ctx context.Context, request *v1pb.Updat } for _, field := range request.UpdateMask.Paths { if field == "filename" { + if !validateFilename(request.Attachment.Filename) { + return nil, status.Errorf(codes.InvalidArgument, "filename contains invalid characters or format") + } update.Filename = &request.Attachment.Filename } } @@ -701,3 +707,18 @@ func setResponseHeaders(ctx context.Context, headers map[string]string) error { } return grpc.SetHeader(ctx, metadata.Pairs(pairs...)) } + +func validateFilename(filename string) bool { + // Reject path traversal attempts and make sure no additional directories are created + if !filepath.IsLocal(filename) || strings.ContainsAny(filename, "/\\") { + return false + } + + // Reject filenames starting or ending with spaces or periods + if strings.HasPrefix(filename, " ") || strings.HasSuffix(filename, " ") || + strings.HasPrefix(filename, ".") || strings.HasSuffix(filename, ".") { + return false + } + + return true +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-qgjp-5g5x-vhq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65799ghsaADVISORY
- memos.comghsaWEB
- usememos.comghsaWEB
- github.com/usememos/memos/commit/5f57f48673e2054f404b2c5b497a8eaa3690591dghsaWEB
- github.com/usememos/memos/pull/5218ghsaWEB
- herolab.usd.de/security-advisories/usd-2025-0056ghsaWEB
- herolab.usd.de/security-advisories/usd-2025-0056/mitre
News mentions
0No linked articles in our index yet.