usememos Memos Incorrect Access Control Vulnerability in User Registration

A broken access control vulnerability has been identified in usememos Memos version 0.25.2. This issue allows unauthorized users to create accounts through the API v1 user endpoint, even when user registration is disabled in the application settings. The vulnerability arises from missing authorization checks, which could potentially lead to further exploitation, such as account takeovers or unauthorized file uploads.

Impact

Exploitation of this vulnerability allows for unauthorized account creation, bypassing application-level restrictions. This could lead to unauthorized access and actions within the application, especially since the newly created accounts could be used to exploit other vulnerabilities that require authentication.

Reproduction

To reproduce this vulnerability, send a POST request to the /api/v1/users endpoint with a username and password. This can be done even when user registration is disabled in the application settings.

Remediation

Users can update to Memos version 0.25.3, which addresses this vulnerability by implementing the necessary authorization checks. The update is available on the Memos GitHub Releases page.