CVE-2025-24028
Published: 07 February 2025
Summary
CVE-2025-24028 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Joplin Project Joplin. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 43.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to Joplin 3.2.12 directly eliminates the XSS vulnerability stemming from the defective HTML comment sanitization in the Rich Text Editor.
Robust information input validation ensures untrusted note content, including malicious HTML comments, is properly sanitized before processing in the Rich Text Editor to prevent JavaScript execution.
Information output filtering prevents malicious scripts bypassed via HTML comments from executing when rendering content in the Rich Text Editor's browser context.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The XSS vulnerability directly enables arbitrary JavaScript execution in the Joplin client application's Rich Text Editor when opening untrusted notes, mapping to Exploitation for Client Execution (T1203) and JavaScript Command and Scripting Interpreter (T1059.007).
NVD Description
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles…
more
comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-24028 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in Joplin, a free open-source note-taking and to-do application that organizes notes into notebooks. The flaw stems from differences in how Joplin's HTML sanitizer processes comments compared to browser handling of comments, impacting the Rich Text Editor and Markdown viewer components. The Markdown viewer benefits from cross-origin isolation, which blocks JavaScript access to top-level Joplin window functions and variables, but the Rich Text Editor remains exposed. The issue was absent in Joplin 3.1.24 and may have been introduced around commit 9b50539.
Exploitation targets users opening untrusted notes in the Rich Text Editor, where malicious HTML comments can bypass sanitization and execute arbitrary JavaScript. Attackers require local access (AV:L), low complexity (AC:L), no privileges (PR:N), and user interaction such as note opening (UI:R), yielding a CVSS v3.1 base score of 7.8 with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) in an unchanged scope (S:U).
Joplin version 3.2.12 fully addresses the vulnerability, and all users are urged to upgrade, as no workarounds exist. Details appear in GitHub security advisory GHSA-5w3c-wph9-hq92, fix commit 2a058ed8097c2502e152b26394dc1917897f5817, the introducing commit 9b505395918bc923f34fe6f3b960bb10e8cf234e, and documentation on note viewer isolation at joplinapp.org/help/dev/spec/note_viewer_isolation.
Details
- CWE(s)