usememos Memos Path Traversal Vulnerability Allowing Arbitrary File Overwrite

A path traversal vulnerability has been identified in the Attachment service of usememos Memos version 0.25.2. This issue arises from inadequate validation of file names in the attachment upload process, allowing authenticated, low-privileged attackers to manipulate file paths and overwrite arbitrary files with chosen content. When attachments are stored locally, this vulnerability can be exploited to corrupt the application's database, particularly if SQLite is used as the database backend.

Impact

Exploitation of this vulnerability allows for path traversal, enabling overwriting of arbitrary files. In the case of SQLite database users, this could lead to corruption of the database file.

Reproduction

To reproduce this vulnerability, upload an attachment through the application's REST API. Include a file name that traverses directories, such as 'Test/../../memos_prod.db', which would overwrite the database file if SQLite is the active database backend.

Remediation

Users can update to Memos version 0.25.3, which includes the necessary filename validation to prevent this vulnerability.