7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-65795

CVE-2025-65795: memos vulnerability allows the creation of arbitrary accounts

Incorrect access control in the /api/v1/user endpoint of usememos memos v0.25.2 allows unauthorized attackers to create arbitrary accounts via a crafted request.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-65795

CVE-2025-65795:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/usememos/memos	go	< 0.25.3	0.25.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the security patch 769dcd0cf9be83d472829f6e7903b201e42f6b3c reveals a systemic lack of proper authorization checks across multiple API endpoints in the APIV1Service. The primary vulnerability, as highlighted by the CVE description, is within the CreateUser function. It failed to check if public registration was disabled, allowing unauthenticated attackers to create accounts. However, the patch addresses a broader set of vulnerabilities. Other functions like UpdateIdentityProvider, DeleteIdentityProvider, SetMemoAttachments, SetMemoRelations, and DeleteMemoReaction were also missing critical authorization and ownership checks, allowing authenticated users to perform administrative actions or modify other users' data without permission. Furthermore, GetIdentityProvider and ListIdentityProviders were found to leak sensitive credentials (OAuth client secrets) to unauthorized users. The patch rectifies these issues by adding the necessary permission checks, role verifications, and data redaction logic, thereby securing the affected endpoints.

Vulnerable functions

APIV1Service.CreateUser

server/router/api/v1/user_service.go

The function lacked a check to verify if public user registration was disabled. This allowed an unauthenticated attacker to create a new user account by sending a request to the `/api/v1/user` endpoint, even if the administrator had disallowed new registrations. The patch adds a check for the `DisallowUserRegistration` setting.

APIV1Service.UpdateIdentityProvider

server/router/api/v1/idp_service.go

The function did not have an authorization check, allowing any authenticated user to modify the configuration of an identity provider. The patch restricts this functionality to users with the `RoleHost` role, preventing unauthorized modifications.

APIV1Service.DeleteIdentityProvider

server/router/api/v1/idp_service.go

The function was missing an authorization check, which allowed any authenticated user to delete an identity provider. The patch ensures that only users with the `RoleHost` role can perform this action.

APIV1Service.GetIdentityProvider

server/router/api/v1/idp_service.go

The function exposed sensitive information, such as the OAuth2 `client_secret`, to any authenticated user. The patch introduces the `redactIdentityProviderResponse` function to remove the secret for users who do not have the `RoleHost` role, mitigating an information disclosure vulnerability.

APIV1Service.ListIdentityProviders

server/router/api/v1/idp_service.go

Similar to `GetIdentityProvider`, this function leaked sensitive OAuth2 `client_secret` values for all configured identity providers to any authenticated user. The patch applies the same redaction logic to prevent this information disclosure.

APIV1Service.SetMemoAttachments

server/router/api/v1/memo_attachment_service.go

The function lacked an ownership check, allowing any authenticated user to modify the attachments of any memo, not just their own. The patch adds a check to ensure that only the memo's creator or a superuser can modify its attachments.

APIV1Service.SetMemoRelations

server/router/api/v1/memo_relation_service.go

This function was missing an ownership check, which permitted any authenticated user to alter the relations of any memo. The patch corrects this by restricting modification rights to the memo's creator or a superuser.

APIV1Service.DeleteMemoReaction

server/router/api/v1/reaction_service.go

The function did not validate if the user attempting to delete a reaction was the one who created it. This allowed any authenticated user to delete any other user's reaction. The patch introduces an ownership check to fix this authorization flaw.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-65795: memos vulnerability allows the creation of arbitrary accounts

CVE-2025-65795:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-65795: memos vulnerability allows the creation of arbitrary accounts

7.5

7.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI