Local File Inclusion (LFI) in usememos/memos


Reported on

Apr 26th 2023


The vulnerability in the code is a Local File Inclusion (LFI) vulnerability. It allows an attacker to read arbitrary files on the server by exploiting a flaw in the code that allows the attacker to manipulate the "InternalPath" parameter in a request to include files from the server's file system. The attacker can use this vulnerability to read sensitive files on the server, such as configuration files, databases, and other files that contain sensitive information. This vulnerability can be exploited remotely, and it can have severe consequences, including data theft, server compromise, and loss of confidential information.

Proof of Concept



The impact of a successful exploitation of Local File Inclusion (LFI) vulnerability can be severe. An attacker can use LFI to access sensitive files, such as system files, configuration files, or application files that contain sensitive information like credentials, private keys, or other critical data. The attacker can use this information to further exploit the system, launch more attacks, or steal sensitive data.

In some cases, LFI can also lead to Remote Code Execution (RCE), allowing an attacker to execute arbitrary code on the target system, which can result in complete compromise of the system.

Additionally, an attacker can also use LFI to launch other attacks like Directory Traversal, Server-Side Request Forgery (SSRF), or Denial of Service (DoS) attacks, which can further compromise the system or disrupt its normal operation.

Overall, LFI is a serious vulnerability that can lead to significant security risks and must be addressed immediately.


The problem with the code is that it allows Local File Inclusion (LFI) attacks by not properly validating and sanitizing user input for the InternalPath field. This means that an attacker could provide a malicious value forInternalPath when creating or updating a Resource, which would be blindly used to access sensitive files on the server's file system.

For example, an attacker could set the InternalPath field to/etc/passwd or /proc/self/environ to attempt to retrieve the server's sensitive files. This would result in the server returning the contents of the internal file, potentially revealing sensitive information.

We are processing your report and will contact the usememos/memos team within 24 hours. 7 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 7 months ago
We have contacted a member of the usememos/memos team and are waiting to hear back 7 months ago
correctroadh validated this vulnerability 5 months ago
M Nadeem Qazi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
correctroadh gave praise 5 months ago
Thank you for your great work. 😃
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
correctroadh marked this as fixed in 0.13.2 with commit c9aa2e 5 months ago
correctroadh has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 1st 2023
resource.go#L1-L69 has been validated
M Nadeem Qazi
5 months ago


Thank you!

correctroadh published this vulnerability 3 months ago
to join this conversation