CVE-2024-21635
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-14

Last updated on: 2025-11-26

Assigner: GitHub, Inc.

Description
Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. In versions up to and including 0.18.1, though, the bad actor will still have access to their account because the bad actor's Access Token stays on the list as a valid token. The user will have to manually delete the bad actor's Access Token to secure their account. The list of Access Tokens has a generic Description which makes it hard to pinpoint a bad actor in a list of Access Tokens. A known patched version of Memos isn't available. To improve Memos security, all Access Tokens will need to be revoked when a user changes their password. This removes the session for all the user's devices and prompts the user to log in again. One can treat the old Access Tokens as "invalid" because those Access Tokens were created with the older password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-14
Last Modified
2025-11-26
Generated
2026-05-07
AI Q&A
2025-11-14
EPSS Evaluated
2026-05-05
NVD
CVE-2024-21635
EUVD
EUVD-2024-19274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
usememos memos to 0.18.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Memos, a note-taking service that uses Access Tokens for authentication. When a user changes their password, the existing Access Tokens remain valid instead of being revoked. This means that if an attacker has compromised an account and obtained an Access Token, changing the password does not invalidate the attacker's token. The attacker can continue to access the account until the user manually deletes the attacker's Access Token. Additionally, the Access Tokens have generic descriptions, making it difficult to identify malicious tokens. The proper fix would be to revoke all Access Tokens when a password is changed, forcing re-authentication.


How can this vulnerability impact me? :

This vulnerability can allow an attacker who has obtained an Access Token to maintain unauthorized access to a user's account even after the user changes their password. This undermines the security of the account, potentially exposing sensitive notes or data stored in Memos. The user must manually identify and delete the attacker's Access Token to regain full control, which can be difficult due to generic token descriptions.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, users should manually delete any suspicious or unknown Access Tokens from their account after changing their password, as changing the password alone does not invalidate existing tokens. Additionally, it is recommended to revoke all Access Tokens when a password is changed to ensure all sessions are logged out and require re-authentication. Since a patched version is not yet available, manual token management is necessary to secure accounts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart