-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGoMiggo AIRoot Cause AnalysisThe vulnerability stems from structs used in PATCH request handlers (MemoPatch, ResourcePatch, ShortcutPatch, UserPatch) having their ID fields exposed to user input via JSON deserialization. Prior to the patch, these structs lacked the json:"-" tag, allowing attackers to inject an ID parameter in requests. The associated handler functions (not explicitly named in the diff) would then process these user-controlled IDs without proper authorization checks, enabling resource modification bypass. The patch mitigates this by excluding the ID field from JSON parsing.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/usememos/memos | go | < 0.9.0 | 0.9.0 |
Ongoing coverage of React2Shell