CVE-2025-27409

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.3.3

Description The issue allows path traversal in Joplin Server when the static file path starts with css/pluginAssets or js/pluginAssets. The findLocalFile function in the default route calls localFileFromUrl to check for special pluginAssets paths. If the function returns a path, the result is returned directly, without checking for path traversal, enabling attackers to read files outside the intended directories.

Recommendations For versions prior to 3.3.3, update to version 3.3.3 to resolve the issue. As a temporary workaround, consider restricting access to the css/pluginAssets and js/pluginAssets paths to minimize the risk of exploitation. Avoid using the localFileFromUrl function in the default route until the issue is resolved.