VYPR
Unrated severityNVD Advisory· Published Apr 30, 2025· Updated Apr 30, 2025

Joplin Server Vulnerable to Path Traversal

CVE-2025-27409

Description

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function in the default route calls localFileFromUrl to check for special pluginAssets paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Joplin/Joplinllm-fuzzy2 versions
    <3.3.3+ 1 more
    • (no CPE)range: <3.3.3
    • (no CPE)range: < 3.3.3

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.