Path Traversal Vulnerability in Joplin Server Application
CVE-2025-27409

7.5HIGH

Key Information:

Vendor: Laurent22
Status: Joplin
Vendor: CVE Published:; 30 April 2025

What is CVE-2025-27409?

Joplin is an open-source note-taking application that allows for efficient organization of notes. A security flaw has been identified in Joplin Server, which enables path traversal if static file paths begin with 'css/pluginAssets' or 'js/pluginAssets'. This vulnerability enables unauthorized access to read files beyond the designated directories, posing risks to data privacy and integrity. The issue has been addressed in version 3.3.3, and users are advised to update their systems to mitigate potential threats.

Affected Version(s)

joplin < 3.3.3

References

https://github.com/laurent22/joplin/security/advisories/G...

x_refsource_CONFIRM

https://github.com/laurent22/joplin/pull/11916

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2025
Vulnerability Reserved
Feb 24, 2025

Laurent22

What is CVE-2025-27409?

Affected Version(s)

References

CVSS V3.1

Timeline