CVE-2025-25187

Name of the Vulnerable Software and Affected Versions Joplin versions prior to 3.1.24

Description This issue is caused by Joplin adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities. Joplin lacks a Content-Security-Policy with a restrictive script-src, allowing arbitrary JavaScript execution via inline onclick/onload event handlers in unsanitized HTML. Additionally, Joplin's main window is created with nodeIntegration set to true, allowing arbitrary JavaScript execution to result in arbitrary code execution. Users who receive notes from unknown sources and use the search function are impacted.

Recommendations For versions prior to 3.1.24, upgrade to version 3.1.24 or later to resolve the issue. As a temporary workaround, consider avoiding the use of notes from unknown sources and refraining from using the search function until the upgrade is applied. Restrict access to the dangerouslySetInnerHTML function and ensure proper escaping of HTML entities to minimize the risk of exploitation. Avoid using the nodeIntegration feature with true setting until the issue is resolved.