CVE-2025-56760

MEDIUM

memos 0.22 - Path Traversal and Arbitrary File Write via CreateResource Endpoint

Title source: llm

Description

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

References (2)

Core 2

Core References

Product

https://github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go#L48

View Writeup ZIP pw:eip

Exploit, Patch, Third Party Advisory

https://www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples/

Scores

CVSS v3 4.3

EPSS 0.0032

EPSS Percentile 23.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-24

Status published

Products (2)

usememos/memos 0.22.0

usememos/memos 0Go

Published Sep 03, 2025

Tracked Since Feb 18, 2026