CVE-2025-50738
published 2025-07-29CVE-2025-50738: The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.10%
79.3th percentile
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | usememos_memos | >= 0 < 0.24.4 | 0.24.4 |
| usememos | memos | <= 0.24.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoMSkiPjwvc3ZnPg==
- →Look for SVG file uploads to /api/v1/resources with Content-Type: image/svg+xml containing base64-encoded payloads with JavaScript event handlers (e.g., onload="alert(1)"). ↗
- →The base64 payload decodes to an SVG with an onload JavaScript handler: <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"></svg>. Detect SVG uploads containing inline event handlers. ↗
- →Monitor POST requests to /api/v1/resources where the filename ends in .svg and the content field contains base64-encoded data with JavaScript event attributes. ↗
- →Detect the resource_id extraction pattern in responses: '"name":"resources/([A-Za-z0-9]+)"' — this is used to construct the XSS delivery URL /file/resources/<id>/<filename>.svg. ↗
- →For the IP/UA disclosure vector, monitor outbound image fetch requests from Memos server or user browsers to attacker-controlled URLs embedded as markdown images in memo content. ↗
- ·The vulnerability requires authentication; the attacker must have valid credentials to POST to /api/v1/resources. The XSS payload is then served to any user who views the uploaded SVG resource. ↗
- ·The CVSS score listed in the template (9.8) conflicts with the classification metrics (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) and the NVD CWE (CWE-200 / information disclosure). Treat severity contextually. ↗
- ·The IP/UA disclosure vector is passive — it triggers automatically when a victim views a memo containing a markdown image with an attacker-controlled URL, requiring no additional interaction beyond viewing. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos
osv·2025-08-11
CVE-2025-50738 Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs in github.com/usememos/memos
OSV
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
osv·2025-07-29
CVE-2025-50738 [MEDIUM] Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
GHSA
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
ghsa·2025-07-29
CVE-2025-50738 [MEDIUM] CWE-200 Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
Memos has Cross-Site Scripting (XSS) Vulnerability in Image URLs
The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
No detection rules found.
Nuclei
Memos < 0.25.0 - Stored Cross-Site Scripting
nuclei·CVSS 9.8
CVE-2025-50738 [CRITICAL] Memos < 0.25.0 - Stored Cross-Site Scripting
Memos < 0.25.0 - Stored Cross-Site Scripting
An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
Template:
id: CVE-2025-50738
info:
name: Memos < 0.25.0 - Stored Cross-Site Scripting
author: SeongHyeonJeon[nukunga]
severity: medium
description: |
An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
impact: |
Authenticated attackers can upload malicious SVG files containing JavaScript code that executes in other users' browsers when they view the uploaded content, potentially stealing session tokens, credentials, or
No writeups or analysis indexed.
2025-07-29
Published