CVE-2025-27409 Information

Description

Joplin is a free open source note taking and to-do application which can handle a large number of notes organised into notebooks. Prior to version 3.3.3 path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function in the default route calls localFileFromUrl to check for special pluginAssets paths. If the function returns a path the result is returned directly without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.

Reference

https://github.com/laurent22/joplin/pull/11916 https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5 https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5