CVE-2025-25187

CVE-2025-25187 is a cross-site scripting (XSS) vulnerability in Joplin, a free open-source note-taking and to-do application. The issue arises from inserting note titles into the document using React's `dangerouslySetInnerHTML` without escaping HTML entities, combined with the absence of a restrictive Content-Security-Policy (CSP) `script-src` directive. This enables arbitrary JavaScript execution through inline `onclick` or `onload` event handlers in unsanitized HTML. Furthermore, Joplin's main window is created with `nodeIntegration` set to `true`, escalating JavaScript execution to arbitrary code execution on the local system. The vulnerability is rated 7.8 on the CVSS 3.1 scale (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-79.

The attack requires a user to receive notes from unknown sources and trigger the vulnerability by using Ctrl+P to search. An attacker can craft a malicious note title containing exploitable HTML event handlers, which executes JavaScript upon search activation. Successful exploitation grants high confidentiality, integrity, and availability impacts, including full arbitrary code execution on the victim's machine due to the Electron application's `nodeIntegration` setting.

The GitHub security advisory (GHSA-9gfv-q6wj-fr3c) confirms the issue has been fixed in Joplin version 3.1.24, with users strongly advised to upgrade immediately. No workarounds are available. Relevant code changes are documented in the commit 360ece6f8873ef81afbfb98b25faad696ffccdb6 and the GotoAnything.tsx plugin file.