CVE-2025-56760: Memos Vulnerable to Path Traversal via the CreateResource Endpoint

September 4, 2025 (updated September 5, 2025)

When Memos 0.22 is configured to store objects locally, an attacker can create a file via the CreateResource endpoint containing a path traversal sequence in the name, allowing arbitrary file write on the server.

References

github.com/advisories/GHSA-78j5-8vq7-jxv5
github.com/usememos/memos
github.com/usememos/memos/blob/v0.24.4/server/router/api/v1/resource_service.go
nvd.nist.gov/vuln/detail/CVE-2025-56760
www.sonarsource.com/blog/securing-go-applications-with-sonarqube-real-world-examples

Code Behaviors & Features

Detect and mitigate CVE-2025-56760 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →