Skip to main content

Memos CVE-2025-22952

CRITICAL
Server-Side Request Forgery (SSRF) (CWE-918)
2025-02-27 cve@mitre.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:28 vuln.today
Patch released
Mar 28, 2026 - 18:28 nvd
Patch available
PoC Detected
Jul 10, 2025 - 22:52 vuln.today
Public exploit code
CVE Published
Feb 27, 2025 - 20:16 nvd
CRITICAL 9.8

DescriptionCVE.org

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

AnalysisAI

elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.0%.

Technical ContextAI

This vulnerability is classified as Server-Side Request Forgery (SSRF) (CWE-918), which allows attackers to make the server perform requests to unintended internal or external resources. elestio memos v0.23.0 is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks. Affected products include: Usememos Memos.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate and allowlist destination URLs, block requests to internal networks, use network segmentation.

More in Memos

View all
CVE-2022-4686 CRITICAL POC
9.8 Dec 23

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.0. Rated critical seve

CVE-2022-4866 CRITICAL POC
9.0 Dec 31

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. Rated critical severity (CVSS 9.

CVE-2022-4865 CRITICAL POC
9.0 Dec 31

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos prior to 0.9.1. Rated critical severity (CVSS 9.

CVE-2023-5036 HIGH POC
8.8 Sep 18

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.15.1. Rated high severity (CVSS 8.8), t

CVE-2023-4697 HIGH POC
8.8 Sep 01

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2. Rated high severity (CVSS 8.8), this

CVE-2022-4844 HIGH POC
8.8 Dec 29

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos prior to 0.9.1. Rated high severity (CVSS 8.8), th

CVE-2022-4809 HIGH POC
8.8 Dec 28

Improper Access Control in GitHub repository usememos/memos prior to 0.9.1. Rated high severity (CVSS 8.8), this vulnera

CVE-2022-4808 HIGH POC
8.8 Dec 28

Improper Privilege Management in GitHub repository usememos/memos prior to 0.9.1. Rated high severity (CVSS 8.8), this v

CVE-2022-4803 HIGH POC
8.8 Dec 28

Authorization Bypass Through User-Controlled Key in GitHub repository usememos/memos prior to 0.9.1. Rated high severity

CVE-2022-4689 HIGH POC
8.8 Dec 23

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. Rated high severity (CVSS 8.8), this vulnera

CVE-2022-4688 HIGH POC
8.8 Dec 23

Improper Authorization in GitHub repository usememos/memos prior to 0.9.0. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-4684 HIGH POC
8.8 Dec 23

Improper Access Control in GitHub repository usememos/memos prior to 0.9.0. Rated high severity (CVSS 8.8), this vulnera

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:latest Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/kvm-os-container:latest Container suse/sl-micro/6.0/rt-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Affected
SUSE Linux Enterprise Server 16.0 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.1 Fixed

Share

CVE-2025-22952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy