You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/_posts/Securing Go Applications With SonarQube: Real-World Examples.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -51,15 +51,15 @@ However, our recent security research has uncovered a serious issue. We've ident
51
51
52
52
These vulnerabilities are:
53
53
54
-
1.**Stored Cross-Site Scripting (XSS)**: We also discovered two stored XSS vulnerabilities. Allowing attackers to inject JavaScript code that, when executed by an administrator, could abuse the admin's privileges. This, in turn, could be used to update the instance configuration, allowing exploitation of the second Path Traversal vulnerability for a full server compromise.
54
+
1.**CVE-2025-56761, Stored Cross-Site Scripting (XSS)**: We also discovered two stored XSS vulnerabilities. Allowing attackers to inject JavaScript code that, when executed by an administrator, could abuse the admin's privileges. This, in turn, could be used to update the instance configuration, allowing exploitation of the second Path Traversal vulnerability for a full server compromise.
55
55
56
-
2.**Arbitrary File Write via Path Traversal**: When Memos is configured to use [local storage](https://www.usememos.com/docs/advanced-settings/local-storage), a flaw in how it handles file paths allows an authenticated attacker to write arbitrary files to the server. This could be leveraged to achieve full remote code execution, giving them full control of the system.
56
+
2.**CVE-2025-56760, Arbitrary File Write via Path Traversal**: When Memos is configured to use [local storage](https://www.usememos.com/docs/advanced-settings/local-storage), a flaw in how it handles file paths allows an authenticated attacker to write arbitrary files to the server. This could be leveraged to achieve full remote code execution, giving them full control of the system.
57
57
58
58
Despite our best efforts to responsibly disclose and contact the maintainers, we unfortunately did not receive a response. In accordance with our 90-day disclosure policy, we are now making this information public to ensure user awareness. We strongly recommend that individuals and organizations deploying Memos be acutely aware and take immediate action. The most secure course is to **restrict Memos access to trusted users only**. This could help mitigate the immediate risks, but the long-term solution requires a patch from the maintainers or a transition to a more secure platform.
The core of this issue lies in the [/memos.api.v1.ResourceService/CreateResource](https://github.com/usememos/memos/blob/v0.24.0/server/router/api/v1/resource_service.go#L47) endpoint, which handles file uploads. While the function correctly checks if a user is authenticated, it doesn't perform any further authorization checks. This means that *any* authenticated user, regardless of their role or privileges, can initiate a file upload.
65
65
@@ -130,7 +130,7 @@ An authenticated attacker can leverage this to create a resource with a filename
130
130
131
131
The severity of this flaw is significant. It could lead to remote code execution by allowing an attacker to write files that the server executes, such as cron jobs or malicious scripts. They could also overwrite crucial application configurations or modify SSH keys for a full server compromise.
But what if the `workspaceStorageSetting` isn't configured to store files locally? In this case, an attacker can use the built-in feature to share files. Since the user-controlled files are served under the same domain without any restriction/sandboxing.
136
136
@@ -208,6 +208,7 @@ Despite our best efforts to responsibly disclose and contact the maintainers, we
208
208
| 2025-05-19 | We ping Gin’s maintainers |
209
209
| 2025-05-20 | Gin’s maintainers acknowledge our report and fix the issue |
210
210
| 2025-05-12 | We notify Memos that our 90-day disclosure window has elapsed and that we will be releasing the information to the public |
211
+
| 2025-09-02 | CVEs CVE-2025-56760 and CVE-2025-56761 are assigned |
211
212
212
213
# Summary
213
214
Our security research into popular Go projects has revealed critical vulnerabilities that highlight the continuous importance of rigorous security analysis in open-source projects. Leveraging the power of SonarQube's static analysis capabilities, developers can easily detect and mitigate such vulnerabilities during the development process. This proactive approach is crucial, as even the most widely used and trusted tools can contain hidden flaws.
0 commit comments