CVE-2025-25187 (GCVE-0-2025-25187)
Vulnerability from cvelistv5 – Published: 2025-02-07 22:38 – Updated: 2025-02-10 17:15
VLAI
Title
Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin
Summary
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin's main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
7.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/laurent22/joplin/security/advi… | x_refsource_CONFIRM |
| https://github.com/laurent22/joplin/commit/360ece… | x_refsource_MISC |
| https://developer.mozilla.org/en-US/docs/Web/HTTP… | x_refsource_MISC |
| https://github.com/laurent22/joplin/blob/2fc9bd47… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25187",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-10T17:14:00.437337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-10T17:15:09.979Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "joplin",
"vendor": "laurent22",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.24"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React\u0027s `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin\u0027s main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses \u003ckbd\u003ectrl\u003c/kbd\u003e-\u003ckbd\u003ep\u003c/kbd\u003e to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-07T22:38:20.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c"
},
{
"name": "https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"
},
{
"name": "https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558"
}
],
"source": {
"advisory": "GHSA-9gfv-q6wj-fr3c",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-25187",
"datePublished": "2025-02-07T22:38:20.068Z",
"dateReserved": "2025-02-03T19:30:53.399Z",
"dateUpdated": "2025-02-10T17:15:09.979Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-25187",
"date": "2026-06-10",
"epss": "0.00593",
"percentile": "0.69721"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-25187\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-02-07T23:15:15.217\",\"lastModified\":\"2025-04-11T18:56:36.240\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React\u0027s `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin\u0027s main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses \u003ckbd\u003ectrl\u003c/kbd\u003e-\u003ckbd\u003ep\u003c/kbd\u003e to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Joplin es una aplicaci\u00f3n de c\u00f3digo abierto y gratuita para tomar notas y realizar tareas pendientes, que puede gestionar una gran cantidad de notas organizadas en cuadernos. Esta vulnerabilidad se produce al a\u00f1adir t\u00edtulos de notas al documento mediante `dangerouslySetInnerHTML` de React, sin escapar primero las entidades HTML. Joplin carece de una Content-Security-Policy con un `script-src` restrictivo. Esto permite la ejecuci\u00f3n arbitraria de JavaScript a trav\u00e9s de controladores de eventos `onclick`/`onload` en l\u00ednea en HTML no saneado. Adem\u00e1s, la ventana principal de Joplin se crea con `nodeIntegration` configurado en `true`, lo que permite la ejecuci\u00f3n arbitraria de JavaScript para dar como resultado la ejecuci\u00f3n de c\u00f3digo arbitrario. Cualquiera que 1) reciba notas de fuentes desconocidas y 2) utilice ctrl-p para buscar se ve afectado. Este problema se ha solucionado en la versi\u00f3n 3.1.24 y se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*\",\"versionEndExcluding\":\"3.1.24\",\"matchCriteriaId\":\"054ACD95-A971-4DD1-B625-BCCD33BCA444\"}]}]}],\"references\":[{\"url\":\"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-25187\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-10T17:14:00.437337Z\"}}}], \"references\": [{\"url\": \"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-10T17:15:04.502Z\"}}], \"cna\": {\"title\": \"Cross-site Scripting in Goto Anything allows arbitrary code execution in Joplin\", \"source\": {\"advisory\": \"GHSA-9gfv-q6wj-fr3c\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"laurent22\", \"product\": \"joplin\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.1.24\"}]}], \"references\": [{\"url\": \"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c\", \"name\": \"https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6\", \"name\": \"https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\", \"name\": \"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558\", \"name\": \"https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React\u0027s `dangerouslySetInnerHTML`, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive `script-src`. This allows arbitrary JavaScript execution via inline `onclick`/`onload` event handlers in unsanitized HTML. Additionally, Joplin\u0027s main window is created with `nodeIntegration` set to `true`, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses \u003ckbd\u003ectrl\u003c/kbd\u003e-\u003ckbd\u003ep\u003c/kbd\u003e to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-02-07T22:38:20.068Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-25187\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-10T17:15:09.979Z\", \"dateReserved\": \"2025-02-03T19:30:53.399Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-02-07T22:38:20.068Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…