CVE-2025-27409: Joplin Server Vulnerable to Path Traversal
Description
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.
Classification
CVE ID: CVE-2025-27409
CVSS Base Severity: HIGH
CVSS Base Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Problem Types
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Affected Products
Vendor: laurent22
Product: joplin
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.06% (probability of being exploited)
EPSS Percentile: 18.69% (scored less or equal to compared to others)
EPSS Date: 2025-05-29 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-27409https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5
https://github.com/laurent22/joplin/pull/11916