Login Sign Up

CVE-2025-24028

7.8 HIGH
Cross-Site Scripting

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in Joplin's Rich Text Editor caused by differences between Joplin's HTML sanitizer and browser comment handling. Attackers can execute arbitrary JavaScript when users open malicious notes in the Rich Text Editor. Only users who open untrusted notes in the Rich Text Editor are affected.

💻 Affected Systems

Products:
  • Joplin
Versions: Versions between 3.1.24 (exclusive) and 3.2.12 (exclusive)
Operating Systems: All platforms running Joplin (Windows, macOS, Linux, mobile)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Rich Text Editor, not Markdown viewer due to cross-origin isolation. Vulnerability introduced in commit 9b50539.

📦 What is this software?

Joplin by Joplin Project

View all CVEs affecting Joplin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Joplin data including theft of notes, credentials, and local file access depending on Joplin's permissions and integrations.

🟠

Likely Case

Theft of sensitive notes, session hijacking, and potential malware delivery through Joplin's execution context.

🟢

If Mitigated

Limited impact if users only open trusted notes or use Markdown viewer exclusively (which has cross-origin isolation).

🌐 Internet-Facing: LOW
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction (opening malicious note). No public exploit code available as of advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.12

Vendor Advisory: https://github.com/laurent22/joplin/security/advisories/GHSA-5w3c-wph9-hq92

Restart Required: No

Instructions:

1. Open Joplin application. 2. Go to Help > Check for updates. 3. Follow prompts to update to version 3.2.12 or later. 4. Alternatively, download latest version from joplinapp.org.

🔧 Temporary Workarounds

Use Markdown Viewer Only

all

Switch to Markdown viewer mode which has cross-origin isolation preventing JavaScript execution

In Joplin settings, set default editor to Markdown

🧯 If You Can't Patch

  • Avoid opening untrusted notes in Rich Text Editor
  • Use Joplin in read-only mode for untrusted content

🔍 How to Verify

Check if Vulnerable:

Check Joplin version in Help > About. If version is between 3.1.24 and 3.2.12 (exclusive), you are vulnerable.

Check Version:

joplin --version (CLI) or check Help > About in GUI

Verify Fix Applied:

Verify version is 3.2.12 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Unusual note creation/modification patterns
  • Notes with suspicious HTML/JavaScript content

Network Indicators:

  • None - local application vulnerability

SIEM Query:

Application logs showing Joplin process execution with suspicious note file access

📊 Metadata

CVE ID: CVE-2025-24028
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-79
EPSS Score: 0.3% exploit probability (52.8th percentile)
Published: February 7, 2025
Last Updated: April 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24028, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)