x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mr34-8733-grr2

[GoVulnBot]

Advisory GHSA-mr34-8733-grr2 references a vulnerability in the following Go modules:

Module
github.com/usememos/memos

Description:

Summary

Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password.

The bad actor though will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of ...

References:

• ADVISORY: GHSA-mr34-8733-grr2
• ADVISORY: GHSA-mr34-8733-grr2
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-21635
• WEB: http://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
• WEB: https://owasp.org/Top10/A04_2021-Insecure_Design

Cross references:

• github.com/usememos/memos appears in 68 other report(s):
  • data/excluded/GO-2022-1173.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rgj5-jj5q-v3v7 #1173) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1226.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c2v4-8r9g-g5xj #1226) NOT_GO_CODE
  • data/excluded/GO-2022-1228.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-v92p-phmp-xffr #1228) NOT_GO_CODE
  • data/excluded/GO-2022-1254.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c5hq-35h7-r9x4 #1254) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1255.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cwrm-33qq-4w2x #1255) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2022-1258.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gxqf-4g4p-q3hc #1258) NOT_GO_CODE
  • data/excluded/GO-2022-1262.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pwhr-p68w-296x #1262) NOT_GO_CODE
  • data/excluded/GO-2022-1265.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rmhx-9h5h-3xh3 #1265) NOT_GO_CODE
  • data/excluded/GO-2023-1271.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8w5q-5fpq-v4pm #1271) NOT_GO_CODE
  • data/excluded/GO-2023-1272.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x9p9-v3x6-68mq #1272) NOT_GO_CODE
  • data/excluded/GO-2023-1286.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5jqp-wmhj-g33f #1286) EFFECTIVELY_PRIVATE
  • data/excluded/GO-2023-1460.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-8686-4cr3-76wj #1460) NOT_GO_CODE
  • data/excluded/GO-2023-1467.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pcvh-px2p-vmxw #1467) NOT_GO_CODE
  • data/excluded/GO-2023-2037.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-96gq-6ch5-mm54 #2037) EFFECTIVELY_PRIVATE
  • data/reports/GO-2022-1189.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-c8jh-vcjh-fx2w #1189)
  • data/reports/GO-2022-1190.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vwg4-846x-f94v #1190)
  • data/reports/GO-2022-1191.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-w57v-6xp4-rm2v #1191)
  • data/reports/GO-2022-1192.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcw2-492v-57xj #1192)
  • data/reports/GO-2022-1205.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9v48-2h5x-fvpm #1205)
  • data/reports/GO-2022-1215.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-68gw-r2x5-7r5r #1215)
  • data/reports/GO-2022-1216.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f552-97qx-c694 #1216)
  • data/reports/GO-2022-1217.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fv6c-rfg3-gvjw #1217)
  • data/reports/GO-2022-1218.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qr52-59r6-49f4 #1218)
  • data/reports/GO-2022-1219.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-33m8-f4hw-wm3q #1219)
  • data/reports/GO-2022-1220.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j593-h5v3-45x6 #1220)
  • data/reports/GO-2022-1225.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-97rc-mm5j-f6rj #1225)
  • data/reports/GO-2022-1235.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-f83p-pg86-p922 #1235)
  • data/reports/GO-2022-1236.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-ghx2-6v4g-9wmm #1236)
  • data/reports/GO-2022-1239.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-jvq8-w7qv-hqp6 #1239)
  • data/reports/GO-2022-1240.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfvq-m3jj-8864 #1240)
  • data/reports/GO-2022-1243.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qcf5-m2c6-89f2 #1243)
  • data/reports/GO-2022-1244.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qrrf-xvcf-p64q #1244)
  • data/reports/GO-2022-1245.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qw36-rw5q-gxcq #1245)
  • data/reports/GO-2022-1248.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-rx2m-xr4x-54hh #1248)
  • data/reports/GO-2022-1250.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-642q-2q68-9j3p #1250)
  • data/reports/GO-2022-1251.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fx9-29x2-fmfj #1251)
  • data/reports/GO-2022-1252.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6w5w-wx8w-2cq9 #1252)
  • data/reports/GO-2022-1253.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-7qpw-2j9m-rw8c #1253)
  • data/reports/GO-2022-1256.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gfj4-wg89-m22r #1256)
  • data/reports/GO-2022-1257.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-gw9m-2m5v-c6x5 #1257)
  • data/reports/GO-2022-1259.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hc5q-26h8-r9wf #1259)
  • data/reports/GO-2022-1260.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-m5pr-wm6q-x4g2 #1260)
  • data/reports/GO-2022-1261.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-pp3p-6jjh-rmg7 #1261)
  • data/reports/GO-2022-1263.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-qf9q-3wwx-8qjv #1263)
  • data/reports/GO-2022-1264.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r7hg-2cpp-8wqq #1264)
  • data/reports/GO-2022-1266.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-vh43-cc6x-prpr #1266)
  • data/reports/GO-2023-1270.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6whj-8g9g-5jvx #1270)
  • data/reports/GO-2023-1285.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-42q2-m54f-jh95 #1285)
  • data/reports/GO-2023-1291.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mfmp-8mqg-q4wm #1291)
  • data/reports/GO-2023-1292.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-mq5q-gpgv-pwxw #1292)
  • data/reports/GO-2023-1449.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-r3p3-5f35-h6mf #1449)
  • data/reports/GO-2023-1461.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9h7x-9pmh-7gg8 #1461)
  • data/reports/GO-2023-1462.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-fpjc-cxr6-w6h8 #1462)
  • data/reports/GO-2023-1465.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-h2ph-9r76-37v5 #1465)
  • data/reports/GO-2023-1469.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-x22v-qgm2-7qc7 #1469)
  • data/reports/GO-2023-1566.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos/server: CVE-2022-25978 #1566)
  • data/reports/GO-2023-2036.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5j6p-59cj-j6cp #2036)
  • data/reports/GO-2023-2038.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-j2gj-g3p9-7mrr #2038)
  • data/reports/GO-2023-2065.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-2g7r-9xq5-c6hv #2065)
  • data/reports/GO-2024-3046.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-65fm-2jgr-j7qq #3046)
  • data/reports/GO-2024-3047.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-6fcf-g3mp-xj2x #3047)
  • data/reports/GO-2024-3049.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-9cqm-mgv9-vv9j #3049)
  • data/reports/GO-2024-3088.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-p4fx-qf2h-jpmj #3088)
  • data/reports/GO-2024-3274.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-5r2g-59px-3q9w #3274)
  • data/reports/GO-2025-3492.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: CVE-2025-22952 #3492)
  • data/reports/GO-2025-3831.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-hfcf-79gh-f3jc #3831)
  • data/reports/GO-2025-3936.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-78j5-8vq7-jxv5 #3936)
  • data/reports/GO-2025-3937.yaml (x/vulndb: potential Go vuln in github.com/usememos/memos: GHSA-cgrg-86m5-xm4w #3937)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/usememos/memos
      vulnerable_at: 0.25.2
summary: Memos' Access Tokens Stay Valid after User Password Change in github.com/usememos/memos
cves:
    - CVE-2024-21635
ghsas:
    - GHSA-mr34-8733-grr2
references:
    - advisory: https://github.com/advisories/GHSA-mr34-8733-grr2
    - advisory: https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-21635
    - web: http://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures
    - web: https://owasp.org/Top10/A04_2021-Insecure_Design
source:
    id: GHSA-mr34-8733-grr2
    created: 2025-11-14T23:02:35.801573896Z
review_status: UNREVIEWED