CVE-2025-27409
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function in the default route calls localFileFromUrl to check for special pluginAssets paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| laurent22 | joplin | < 3.3.3 | affected |
Weaknesses
- CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
Additional References
References
- https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5
- https://github.com/laurent22/joplin/pull/11916
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.