N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-50738

GHSA ID

GHSA-hfcf-79gh-f3jc

EPSS Score

CWE

CWE-79

Published

7/29/2025

Updated

7/29/2025

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-50738

CVE-2025-50738: Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs

The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-50738

GHSA ID

GHSA-hfcf-79gh-f3jc

EPSS Score

CWE

CWE-79

Published

7/29/2025

Updated

7/29/2025

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/usememos/memos	go	< 0.24.4	0.24.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the handling of user-uploaded files in the Memos application. An attacker could upload a file with a crafted content type (e.g., image/svg+xml) that contains malicious scripts. When another user's browser attempts to render this file, the script would execute, leading to a Cross-Site Scripting (XSS) attack. The provided commit patch addresses this issue in the GetResourceBinary function within server/router/api/v1/resource_service.go. The patch adds a check to identify potentially harmful content types and forces them to be served as application/octet-stream. This change ensures that browsers will treat the file as a downloadable binary rather than a renderable and potentially executable file, thus preventing the XSS attack. The vulnerable function is therefore APIV1Service.GetResourceBinary as it was the function responsible for serving the user-uploaded content without proper validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** M*mos *ppli**tion, up to v*rsion v*.**.*, *llows *or t** *m****in* o* m*rk*own im***s wit* *r*itr*ry URLs. W**n * us*r vi*ws * m*mo *ont*inin* su** *n im***, t**ir *rows*r *utom*ti**lly **t***s t** im*** URL wit*out *xpli*it us*r *ons*nt or int*r

Reasoning

T** vuln*r**ility li*s in t** **n*lin* o* us*r-uplo**** *il*s in t** M*mos *ppli**tion. *n *tt**k*r *oul* uplo** * *il* wit* * *r**t** *ont*nt typ* (*.*., `im***/sv*+xml`) t**t *ont*ins m*li*ious s*ripts. W**n *not**r us*r's *rows*r *tt*mpts to r*n**

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-50738: Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI