CVE-2025-27409 : Joplin is a free, open source note taking and to-do application, which can handl

Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.

Published 2025-04-30 14:55:08

Updated 2025-05-16 16:29:41

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2025-27409

Joplin Project » Joplin »
Versions before (<) 3.3.3
cpe:2.3:a:joplin_project:joplin:*:*:*:*:*:-:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2025-27409

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 26 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2025-27409

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	N/A	N/A	GitHub, Inc.	2025-04-30
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST	2025-05-16
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	GitHub, Inc.	2025-04-30
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2025-27409

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2025-27409

https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5

Exploit;Vendor Advisory
https://github.com/laurent22/joplin/pull/11916

Patch

Jump to

Vulnerability Details : CVE-2025-27409

Products affected by CVE-2025-27409

Exploit prediction scoring system (EPSS) score for CVE-2025-27409

CVSS scores for CVE-2025-27409

CWE ids for CVE-2025-27409

References for CVE-2025-27409