CVE-2025-65797: memos vulnerability allows arbitrarily modification or deletion registered identity providers

December 8, 2025 (updated December 9, 2025)

Incorrect access control in the Identity Provider service of usememos memos v0.25.2 allows attackers with low-level privileges to arbitrarily modify or delete registered identity providers, leading to an account takeover or Denial of Service (DoS).

References

github.com/advisories/GHSA-99m2-qwx6-2w6f
github.com/usememos/memos
github.com/usememos/memos/commit/769dcd0cf9be83d472829f6e7903b201e42f6b3c
github.com/usememos/memos/pull/5217
herolab.usd.de/security-advisories/usd-2025-0057
nvd.nist.gov/vuln/detail/CVE-2025-65797

Code Behaviors & Features

Detect and mitigate CVE-2025-65797 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →