CVE-2025-56761: 
NixOS vulnerability analysis and mitigation

Memos version 0.22 contains a Stored Cross-site Scripting (XSS) vulnerability (CVE-2025-56761) affecting the upload attachment and user avatar features. The vulnerability stems from the application's failure to verify uploaded content types, serving the data back without proper validation. This vulnerability was discovered in September 2025 and affects the Memos note-taking application, which has over 40,000 stars on GitHub (Sonar Blog).

The vulnerability exists in two main features: file upload and user avatar functionality. In the avatar feature, the UpdateUser endpoint accepts data URLs without proper content type validation. When serving the avatar through GetUserAvatarBinary function, the application extracts both content and content-type from user input without verification. For file uploads, the vulnerability is present in the /memos.api.v1.ResourceService/CreateResource endpoint. The CVSS v3.1 base score is 5.4 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

An authenticated attacker can exploit this vulnerability to execute arbitrary JavaScript code in the context of other users' sessions, particularly administrators. When an administrator views the malicious content, the stored XSS payload executes, potentially allowing privilege escalation and full control of the Memos server (Sonar Blog).

As no official patch has been released despite responsible disclosure attempts, the recommended mitigation is to restrict Memos access to trusted users only. Organizations should consider transitioning to a more secure platform until a proper fix is available from the maintainers (Sonar Blog).

Despite multiple attempts to contact the maintainers over a 90-day disclosure period, no response was received from the Memos team. The security researchers followed responsible disclosure practices before making the vulnerability public to ensure user awareness (Sonar Blog).