Arbitrary JavaScript Execution in Joplin Note Taking Application
CVE-2025-25187

5.4MEDIUM

Key Information:

Vendor: Laurent22
Status: Joplin
Vendor: CVE Published:; 7 February 2025

What is CVE-2025-25187?

The Joplin note-taking application is vulnerable to arbitrary JavaScript execution due to improper handling of note titles using React's dangerouslySetInnerHTML. This vulnerability arises from the absence of a restrictive Content-Security-Policy for script sources, along with the enabled nodeIntegration, which facilitates the execution of malicious scripts. Users who receive notes from unverified sources and utilize the search function are particularly at risk. The issue has been resolved in version 3.1.24, and users are recommended to update to this version immediately, as there are currently no workarounds available.

Affected Version(s)

joplin < 3.1.24

References

https://github.com/laurent22/joplin/security/advisories/G...

x_refsource_CONFIRM

https://github.com/laurent22/joplin/commit/360ece6f8873ef...

x_refsource_MISC

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2025
Vulnerability Reserved
Feb 3, 2025

Laurent22

What is CVE-2025-25187?

Affected Version(s)

References

CVSS V3.1

Timeline