CVE-2025-25187

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Feb 7, 2025

Updated: Feb 10, 2025

CWE ID 79

Summary

CVE-2025-25187 is a vulnerability affecting Joplin, a free and open source note-taking application. The issue arises when the application uses React's `dangerouslySetInnerHTML` to add note titles without proper HTML entity escaping. Malicious HTML code can be injected, leading to arbitrary JavaScript execution due to Joplin's weak Content-Security-Policy and the use of `nodeIntegration` set to `true` in its main window. This vulnerability can impact users who receive unsanitized notes and use the ctrl-p shortcut to search. Version 3.1.24 addresses this issue, and all users are advised to upgrade as there are currently no known workarounds.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Advisories, Assessments, and Mitigations

Back to Vulnerability Database