Main Vulnerability Database Vulnerabilities #VU118841

Insufficient session expiration in memos - CVE-2024-21635

Published: November 28, 2025

Vulnerability identifier: #VU118841

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-21635

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: memos

Affected software:
memos

Detailed vulnerability description

The vulnerability allows a remote attacker to gain unauthorized access to the application.

The vulnerability exists due to the application does not invalidate tokens after password change. The access token remains valid and allows an attacker to gain access to the victim's account even after the victim changes their password.

How to mitigate CVE-2024-21635

Install updates from vendor's website.

Sources

https://github.com/usememos/memos/security/advisories/GHSA-mr34-8733-grr2

Insufficient session expiration in memos - CVE-2024-21635

Detailed vulnerability description

How to mitigate CVE-2024-21635

Sources

Please verify you're human