Remote Code Execution on click of <a> Link in markdown preview

Vulnerability

Overview

CVE-2024-49362 is a remote code execution (RCE) vulnerability in Joplin-desktop, a free, open-source note-taking application. The flaw arises from insufficient sanitization of ` tag attributes in HTML rendered by Mermaid diagrams within untrusted notes. When a user clicks a crafted ` link, the application opens it in the same Electron window without proper isolation, leading to arbitrary shell command execution [1][3].

Exploitation

Mechanism

The markdown preview uses an iframe that shares the same origin as the parent and has nodeIntegration enabled while contextIsolation is disabled. Joplin only opens ` links containing a data-from-md attribute internally. An attacker can embed a Mermaid diagram (e.g., a flowchart) containing an tag with this attribute. Because Mermaid-generated HTML is not sanitized for the data-from-md attribute, the link is opened within the Electron window with full Node.js API access. Moreover, the iframe lacks a sandbox attribute, allowing scripts to call window.parent` and use Node.js APIs [2][3].

Impact

Successful exploitation enables an attacker to execute arbitrary commands on the host system. Since Joplin uses Electron with elevated privileges, any script running in the affected context can invoke Node.js modules such as child_process to run shell commands, potentially leading to full system compromise [1][2].

Mitigation

The vulnerability was reported via Joplin's security advisory and the Joplin project maintainers should issue a patched version that properly sanitizes Mermaid-generated HTML or restricts the opening of internal links to trusted origins. Users are advised to update Joplin-desktop once a fix is released and to exercise caution when importing notes from untrusted sources [3].