CVE-2025-25187
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive script-src. This allows arbitrary JavaScript execution via inline onclick/onload event handlers in unsanitized HTML. Additionally, Joplin's main window is created with nodeIntegration set to true, allowing arbitrary JavaScript execution to result in arbitrary code execution. Anyone who 1) receives notes from unknown sources and 2) uses <kbd>ctrl</kbd>-<kbd>p</kbd> to search is impacted. This issue has been addressed in version 3.1.24 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
| Software | From | Fixed in |
|---|---|---|
| joplin_project / joplin | - | 3.1.24 |
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
- https://github.com/laurent22/joplin/blob/2fc9bd476b0d9abcddb0a46f615a48333779d225/packages/app-desktop/plugins/GotoAnything.tsx#L558
- https://github.com/laurent22/joplin/commit/360ece6f8873ef81afbfb98b25faad696ffccdb6
- https://github.com/laurent22/joplin/security/advisories/GHSA-9gfv-q6wj-fr3c
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime