CVE-2025-25187
Published: 07 February 2025
Summary
CVE-2025-25187 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Joplin Project Joplin. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prevents arbitrary JavaScript execution by filtering malicious HTML event handlers and scripts from unsanitized note titles before rendering with dangerouslySetInnerHTML.
Enforces secure configuration settings including a restrictive Content-Security-Policy script-src directive and disabling nodeIntegration in Electron to block inline scripts and escalation to arbitrary code execution.
Validates and sanitizes note title inputs from unknown sources to strip HTML entities and prevent storage of exploitable XSS payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The XSS vulnerability enables arbitrary JavaScript execution in an Electron app with nodeIntegration=true, directly facilitating client-side exploitation for code execution (T1203) via JavaScript (T1059.007) leading to RCE.
NVD Description
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML…
more
entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-25187 is a cross-site scripting (XSS) vulnerability in Joplin, a free open-source note-taking and to-do application. The issue arises from inserting note titles into the document using React's `dangerouslySetInnerHTML` without escaping HTML entities, combined with the absence of a restrictive Content-Security-Policy (CSP) `script-src` directive. This enables arbitrary JavaScript execution through inline `onclick` or `onload` event handlers in unsanitized HTML. Furthermore, Joplin's main window is created with `nodeIntegration` set to `true`, escalating JavaScript execution to arbitrary code execution on the local system. The vulnerability is rated 7.8 on the CVSS 3.1 scale (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-79.
The attack requires a user to receive notes from unknown sources and trigger the vulnerability by using Ctrl+P to search. An attacker can craft a malicious note title containing exploitable HTML event handlers, which executes JavaScript upon search activation. Successful exploitation grants high confidentiality, integrity, and availability impacts, including full arbitrary code execution on the victim's machine due to the Electron application's `nodeIntegration` setting.
The GitHub security advisory (GHSA-9gfv-q6wj-fr3c) confirms the issue has been fixed in Joplin version 3.1.24, with users strongly advised to upgrade immediately. No workarounds are available. Relevant code changes are documented in the commit 360ece6f8873ef81afbfb98b25faad696ffccdb6 and the GotoAnything.tsx plugin file.
Details
- CWE(s)