CVE-2025-22952

CriticalPublic PoC

Published: 27 February 2025

Published

27 February 2025

Modified

10 July 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2306 95.9th percentile

Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Description

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Security Summary

CVE-2025-22952 is a Server-Side Request Forgery (SSRF) vulnerability in Elestio Memos version 0.23.0, stemming from insufficient validation of user-supplied URLs. This issue, classified under CWE-918, was published on 2025-02-27 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high impacts across confidentiality, integrity, and availability.

Unauthenticated attackers with network access can exploit this vulnerability remotely with low complexity and no user interaction required. Exploitation enables SSRF attacks, allowing attackers to manipulate the server into making unauthorized requests on their behalf.

The Memos GitHub repository documents the issue in #4413 and provides a fix via pull request #4428. Security practitioners should consult the Elestio open-source Memos page and the official Memos repository for patching details and updated versions to mitigate the risk.

Details

CWE(s): CWE-918

Affected Products

usememos

memos

0.23.0

References

https://elest.io/open-source/memos
Product · cve@mitre.org
https://github.com/usememos/memos
Product · cve@mitre.org
https://github.com/usememos/memos/issues/4413
Exploit, Issue Tracking, Vendor Advisory · cve@mitre.org
https://github.com/usememos/memos/pull/4428
Issue Tracking, Patch · cve@mitre.org
https://github.com/usememos/memos/issues/4413
Exploit, Issue Tracking, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0