Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos


Reported on

Apr 20th 2023


I have discovered a vulnerability where any user can modify another user's data including password simply by intercepting and changing the access token of the JWT using The system does not verify whether the JWT token was issued by the server or not, allowing it to accept the edited JWT token. This can lead to unauthorized modification or changing of the email address, and password and other personal data of any user.

Proof of Concept


This vulnerability can have significant consequences on the security of the affected system. By allowing unauthorized users to modify the data of other users, it can result in the following:

Account Takeover: An Attacker can change the password of any user just by using forged JWT token.

Privacy violations: Any unauthorized modifications to a user's email can lead to privacy violations as sensitive information can be exposed or accessed without the user's consent.

Data breaches: If a user's email is changed, it can result in unauthorized access to sensitive information that may result in a data breach. This can lead to legal and financial consequences for both the users and the organization.

Attacker can use the further information to defame the users or organization.

We are processing your report and will contact the usememos/memos team within 24 hours. 8 months ago
A GitHub Issue asking the maintainers to create a exists 8 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 7 months ago
M Nadeem Qazi
7 months ago


Any Update?

M Nadeem Qazi modified the report
7 months ago
M Nadeem Qazi modified the report
7 months ago
correctroadh validated this vulnerability 5 months ago
M Nadeem Qazi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
correctroadh gave praise 5 months ago
Thanks for your job.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
5 months ago


I have submitted a new PR to fix it. Thank you❤️

correctroadh marked this as fixed in 0.13.2 with commit c9aa2e 5 months ago
correctroadh has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 1st 2023
M Nadeem Qazi
5 months ago


Finally..... Thank you.

correctroadh published this vulnerability 3 months ago
to join this conversation