CVE-2024-29029 in memosinfo

Summary

by MITRE • 04/19/2024

memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the /o/get/image that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/04/2025

The vulnerability identified as CVE-2024-29029 affects memos version 0.13.2, a privacy-focused note-taking service that has been designed with lightweight operations in mind. This particular flaw represents a critical security weakness that combines server-side request forgery with cross-site scripting vulnerabilities, creating a dangerous attack surface for unauthenticated users. The vulnerability manifests specifically within the /o/get/image endpoint, which serves as an interface for retrieving images from external sources while failing to properly validate or sanitize the input parameters.

The technical implementation of this vulnerability stems from inadequate input validation mechanisms within the image retrieval functionality. When users submit requests to the /o/get/image endpoint, the application accepts external URLs without sufficient sanitization or restriction, allowing attackers to specify arbitrary internal network addresses or services. This SSRF capability enables threat actors to enumerate internal network components and potentially access sensitive internal resources that would otherwise be protected by network segmentation. The vulnerability's design flaw permits direct access to internal systems through the application's image handling mechanism, bypassing normal network security controls.

The operational impact of this vulnerability extends beyond simple network enumeration, as it creates a pathway for reflected XSS attacks through the response manipulation mechanism. When the application fetches images from external sources, it copies the response content directly into its own response without proper sanitization, creating a reflected XSS vector. This means that malicious actors can not only access internal systems but also inject malicious scripts that execute in the context of authenticated users who interact with the vulnerable service. The combination of these attack vectors significantly amplifies the potential damage, allowing for both reconnaissance and active exploitation phases within a single attack.

Security practitioners should consider this vulnerability in the context of CWE-918, which specifically addresses server-side request forgery vulnerabilities, and CWE-79, which covers cross-site scripting flaws. The attack patterns align with those documented in the MITRE ATT&CK framework under T1190 for exploit public-facing application and T1071.004 for application layer protocol. Organizations running memos 0.13.2 should immediately implement network-level restrictions to prevent outbound connections from the vulnerable service to internal network segments. Additionally, proper input validation and URL sanitization mechanisms must be implemented to ensure that all external resource requests are properly constrained and validated before processing. The recommended mitigation includes implementing strict allowlists for external URLs, enforcing proper content security policies, and conducting thorough input validation to prevent both SSRF and XSS exploitation vectors from being successfully leveraged against the service.

Responsible

GitHub, Inc.

Reservation

03/14/2024

Disclosure

04/19/2024

Moderation

accepted

CPE

ready

EPSS

0.01080

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!