Volerion logoVolerion
Volerion logoVolerion

usememos Memos Access Control Vulnerability in Reaction Deletion

Vulnerability

A broken access control vulnerability has been identified in usememos Memos version 0.25.2. This issue allows low-privileged users to delete reactions from other users' Memos. The vulnerability arises from missing authorization checks, which can be exploited by authenticated users with limited rights.

Impact

Exploitation of this vulnerability allows low-privileged users to arbitrarily delete reactions from other users' Memos, potentially disrupting user interactions and engagement on the platform.

Reproduction

To reproduce this vulnerability, an authenticated user with low-level privileges can send a DELETE request to the '/api/v1/reactions/' endpoint, including the numeric ID of the reaction to be deleted. This request must be made with a valid user session cookie.

Remediation

Users can update to Memos version 0.25.3, which addresses this vulnerability by implementing the necessary authorization checks to prevent low-privileged users from deleting reactions they do not own.

Added: Dec 8, 2025, 4:17 PM
Updated: Dec 8, 2025, 6:30 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
4.6
remediation
7.7
relevance
1.4
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.