CVE-2025-24028
Published: 07 February 2025
Description
Adversaries may abuse various implementations of JavaScript for execution.
Security Summary
CVE-2025-24028 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, in Joplin, a free open-source note-taking and to-do application that organizes notes into notebooks. The flaw stems from differences in how Joplin's HTML sanitizer processes comments compared to browser handling of comments, impacting the Rich Text Editor and Markdown viewer components. The Markdown viewer benefits from cross-origin isolation, which blocks JavaScript access to top-level Joplin window functions and variables, but the Rich Text Editor remains exposed. The issue was absent in Joplin 3.1.24 and may have been introduced around commit 9b50539.
Exploitation targets users opening untrusted notes in the Rich Text Editor, where malicious HTML comments can bypass sanitization and execute arbitrary JavaScript. Attackers require local access (AV:L), low complexity (AC:L), no privileges (PR:N), and user interaction such as note opening (UI:R), yielding a CVSS v3.1 base score of 7.8 with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) in an unchanged scope (S:U).
Joplin version 3.2.12 fully addresses the vulnerability, and all users are urged to upgrade, as no workarounds exist. Details appear in GitHub security advisory GHSA-5w3c-wph9-hq92, fix commit 2a058ed8097c2502e152b26394dc1917897f5817, the introducing commit 9b505395918bc923f34fe6f3b960bb10e8cf234e, and documentation on note viewer isolation at joplinapp.org/help/dev/spec/note_viewer_isolation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The XSS vulnerability directly enables arbitrary JavaScript execution in the Joplin client application's Rich Text Editor when opening untrusted notes, mapping to Exploitation for Client Execution (T1203) and JavaScript Command and Scripting Interpreter (T1059.007).