cbcvebase.
CVE-2025-50738
published 2025-07-29

CVE-2025-50738: The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.10%
79.3th percentile
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.

Affected

2 ranges
VendorProductVersion rangeFixed in
github.comusememos_memos>= 0 < 0.24.40.24.4
usememosmemos<= 0.24.3

Detection & IOCsextracted from sources · hover to see the quote

path/api/v1/auth/signin
path/api/v1/resources
path/file/resources/{{resource_id}}/{{filename}}.svg
bytes
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoMSkiPjwvc3ZnPg==
  • Look for SVG file uploads to /api/v1/resources with Content-Type: image/svg+xml containing base64-encoded payloads with JavaScript event handlers (e.g., onload="alert(1)").
  • The base64 payload decodes to an SVG with an onload JavaScript handler: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"></svg>. Detect SVG uploads containing inline event handlers.
  • Monitor POST requests to /api/v1/resources where the filename ends in .svg and the content field contains base64-encoded data with JavaScript event attributes.
  • Detect the resource_id extraction pattern in responses: '"name":"resources/([A-Za-z0-9]+)"' — this is used to construct the XSS delivery URL /file/resources/<id>/<filename>.svg.
  • For the IP/UA disclosure vector, monitor outbound image fetch requests from Memos server or user browsers to attacker-controlled URLs embedded as markdown images in memo content.
  • ·The vulnerability requires authentication; the attacker must have valid credentials to POST to /api/v1/resources. The XSS payload is then served to any user who views the uploaded SVG resource.
  • ·The CVSS score listed in the template (9.8) conflicts with the classification metrics (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) and the NVD CWE (CWE-200 / information disclosure). Treat severity contextually.
  • ·The IP/UA disclosure vector is passive — it triggers automatically when a victim views a memo containing a markdown image with an attacker-controlled URL, requiring no additional interaction beyond viewing.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.