CVE-2025-27409
HIGHJoplin < 3.3.3 - Path Traversal via Static File Path Handling
Title source: llmDescription
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, path traversal is possible in Joplin Server if static file path starts with `css/pluginAssets` or `js/pluginAssets`. The `findLocalFile` function in the `default route` calls `localFileFromUrl` to check for special `pluginAssets` paths. If the function returns a path, the result is returned directly, without checking for path traversal. The vulnerability allows attackers to read files outside the intended directories. This issue has been patched in version 3.3.3.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/laurent22/joplin/security/advisories/GHSA-5xv6-7jm3-fmg5
Patch x_refsource_misc
https://github.com/laurent22/joplin/pull/11916
Scores
CVSS v3
7.5
EPSS
0.0054
EPSS Percentile
41.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
joplin_project/joplin
< 3.3.3
Published
Apr 30, 2025
Tracked Since
Feb 18, 2026