memos is a privacy-first, lightweight note-taking service. In memos 0.13.2, an SSRF vulnerability exists at the `/o/get/image` that allows unauthenticated users to enumerate the internal network and retrieve images. The response from the image request is then copied into the response of the current server request, causing a reflected XSS vulnerability. Version 0.22.0 of memos removes the vulnerable file.

Affected Packages

Go github.com/usememos/memos

Affected versions: 0 (fixed in 0.22.0)

Related CVEs

CVE-2024-29029

Key Information

GHSA ID

GHSA-9cqm-mgv9-vv9j

Published

August 5, 2024 9:29 PM

Last Modified

August 5, 2024 9:29 PM

CVSS Score

5.0 /10

Primary Ecosystem

Primary Package

github.com/usememos/memos

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.