VYPR
Unrated severityNVD Advisory· Published Feb 7, 2025· Updated Feb 10, 2025

Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin

CVE-2025-25187

Description

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive script-src. This allows arbitrary JavaScript execution via inline onclick/onload event handlers in unsanitized HTML. Additionally, Joplin's main window is created with nodeIntegration set to true, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses ctrl-p to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Joplin/Joplinllm-fuzzy2 versions
    <3.1.24+ 1 more
    • (no CPE)range: <3.1.24
    • (no CPE)range: < 3.1.24

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.