CVE-2025-57798
Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Joplin versions 3.6.14 and prior are vulnerable to denial of service via uncontrolled resource allocation in the note title field.
Vulnerability
Joplin versions 3.6.14 and prior contain a denial of service (DoS) vulnerability in the note title input functionality due to the absence of a maximum length validation. The application attempts to store any string passed to the title field without limits, leading to uncontrolled memory allocation. The vulnerable code path lacks a check implemented in the userSideValidation method, as shown in the fix commit [2].
Exploitation
Exploitation can occur through two methods. First, via direct UI input: a local user can type or paste an extremely long string into the title field when creating or editing a note, causing the application to exhaust memory. Second, via the local web service API (typically on port 41184): an attacker who has compromised the user's authentication token (e.g., through malware or other local vulnerabilities) can send a crafted HTTP POST request to the API with an excessively long title parameter, causing an out-of-memory crash without requiring user interaction at the moment of the attack [1].
Impact
Successful exploitation results in an Out Of Memory (OOM) error and subsequent termination of the Joplin process. This constitutes a denial of service, causing loss of availability for the note-taking application and any unsaved work. The attack does not lead to data theft or code execution; the impact is limited to forcing the application to crash [1].
Mitigation
The vulnerability has been patched in Joplin version 3.7.1 [1]. Users should upgrade to version 3.7.1 or later. The fix introduces a validation check that rejects titles longer than 4096 characters with the error "title must be 4096 characters or less" [2]. There is no workaround for unpatched versions; as a defense-in-depth measure, users should protect their local API authentication token from compromise. This CVE is not listed in the KEV catalog.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
15b8795da446aDesktop, Mobile: Fix possible crash when creating a note or notebook with an excessively long title (#15434)
2 files changed · +21 −1
packages/lib/BaseModel.test.ts+15 −0 modified@@ -28,4 +28,19 @@ describe('BaseModel', () => { expect(BaseModel.modelsByIds(items, ids)).toMatchObject(expectedMatchingItems); }); + + test.each([ + [0, false], + [12, false], + [4096, false], + [4097, true], + [100000, true], + ])('userSideValidation should reject overly long titles (length: %d)', (length, shouldThrow) => { + const run = () => BaseModel.userSideValidation({ title: 'x'.repeat(length) }); + if (shouldThrow) { + expect(run).toThrow(/title must be 4096 characters or less/); + } else { + expect(run).not.toThrow(); + } + }); });
packages/lib/BaseModel.ts+6 −1 modified@@ -601,7 +601,7 @@ class BaseModel { return query; } - public static userSideValidation(o: { id?: string; user_updated_time?: number; user_created_time?: number }) { + public static userSideValidation(o: { id?: string; title?: string; user_updated_time?: number; user_created_time?: number }) { if (o.id && !o.id.match(/^[a-f0-9]{32}$/)) { throw new Error('Validation error: ID must a 32-characters lowercase hexadecimal string'); } @@ -610,6 +610,11 @@ class BaseModel { for (const k of timestamps) { if ((k in o) && (typeof o[k] !== 'number' || isNaN(o[k]) || o[k] < 0)) throw new Error('Validation error: user_updated_time and user_created_time must be numbers greater than 0'); } + + const maxTitleLength = 4096; + if (typeof o.title === 'string' && o.title.length > maxTitleLength) { + throw new Error(`Validation error: title must be ${maxTitleLength} characters or less`); + } } // eslint-disable-next-line @typescript-eslint/no-explicit-any -- o is any BaseItemEntity subclass being saved; subclasses override save() with stricter per-entity types
Vulnerability mechanics
Root cause
"Missing input length validation on the note title field allows an attacker to supply an arbitrarily long string, causing unbounded memory allocation and an Out-Of-Memory crash."
Attack vector
An attacker can trigger the vulnerability through two paths. First, a local user with UI access can type or paste an excessively long string into the note title field when creating or editing a note. Second, if an attacker has compromised the user's local web service authentication token (e.g., via malware on the same system), they can send a crafted HTTP POST request to the local API (typically on port 41184) with an overly long title parameter. In both cases the application attempts to allocate memory proportional to the input length without any upper bound, leading to an Out-Of-Memory error and program termination [CWE-770].
Affected code
The vulnerability exists in `packages/lib/BaseModel.ts` in the `userSideValidation` method, which previously did not validate the length of the `title` property. The method is called when creating or updating notes, and without a length check an arbitrarily long title string can be passed through to memory allocation routines.
What the fix does
The patch adds a title length check inside the `userSideValidation` method in `BaseModel.ts` [patch_id=647351]. It accepts an optional `title` property in the validation object and throws a `ValidationError` if the title exceeds 4096 characters. The corresponding test in `BaseModel.test.ts` verifies that titles of length 4096 or less pass validation, while lengths of 4097 or greater are rejected. This closes the vulnerability by preventing the application from ever processing a title long enough to cause unbounded memory allocation.
Preconditions
- authFor the API exploitation path, the attacker must have compromised the user's local web service authentication token.
- networkFor the API path, the attacker must have network access to the local web service (typically on port 41184).
- inputThe attacker must supply a title string longer than 4096 characters.
Generated on May 19, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.