CVE-2025-25187 Information

Feb 08, 2025 cve

Description

Joplin is a free open source note taking and to-do application which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React’s dangerouslySetInnerHTML without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive script-src. This allows arbitrary JavaScript execution via inline onclick/onload event handlers in unsanitized HTML. Additionally Joplin’s main window is created with nodeIntegration set to true allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses ctrl-p to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Reference

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558 https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6 https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c

Share on: