Vulnerability Description
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Joplin Project | Joplin | < 3.3.3 |
Related Weaknesses (CWE)
References
- https://github.com/laurent22/joplin/pull/11916Patch
- https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5ExploitVendor Advisory
- https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5ExploitVendor Advisory
FAQ
What is CVE-2025-27409?
CVE-2025-27409 is a vulnerability with a CVSS score of 7.5 (HIGH). Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server ...
How severe is CVE-2025-27409?
CVE-2025-27409 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-27409?
Check the references section above for vendor advisories and patch information. Affected products include: Joplin Project Joplin.