CVE-2025-24028 Overview
CVE-2025-24028 is a Cross-Site Scripting (XSS) vulnerability affecting Joplin, a free and open-source note-taking and to-do application. The vulnerability stems from differences between how Joplin's HTML sanitizer handles comments compared to how browsers process them. This parsing differential allows attackers to craft malicious notes that bypass Joplin's HTML sanitization, enabling arbitrary JavaScript execution when victims open untrusted notes in the Rich Text Editor.
The vulnerability affects both the Rich Text Editor and the Markdown viewer. However, the Markdown viewer benefits from cross-origin isolation, which prevents JavaScript from directly accessing functions and variables in the toplevel Joplin window. Users who open untrusted notes in the Rich Text Editor are at the highest risk, as this mode does not have the same isolation protections.
Critical Impact
Attackers can execute arbitrary JavaScript code in the context of the Joplin application by crafting malicious notes. This could lead to credential theft, data exfiltration, session hijacking, or further compromise of the user's system through the application's privileged context.
Affected Products
- Joplin versions between 9b50539 and 3.2.11
- Joplin Desktop application
- Joplin Mobile application
Discovery Timeline
- 2025-02-07 - CVE-2025-24028 published to NVD
- 2025-04-18 - Last updated in NVD database
Technical Details for CVE-2025-24028
Vulnerability Analysis
This XSS vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The root cause lies in a parsing differential between Joplin's HTML sanitizer using htmlparser2 and browser HTML parsing engines. When HTML comments are processed, the sanitizer and browser interpret certain character sequences differently, allowing specially crafted comment content to break out of the comment context and inject executable code.
The vulnerability may have been introduced in commit 9b50539 when comment preservation was added to the Markdown renderer. The change allowed HTML comments to pass through the sanitizer for metadata purposes but failed to properly escape special characters within those comments.
Root Cause
The vulnerability originates in the packages/renderer/htmlUtils.ts file where HTML comments are processed. The original implementation directly passed comment data through without proper escaping:
oncomment: (encodedData: string) => {
output.push(`<!--${encodedData}-->`);
},
This approach is dangerous because certain character sequences within comments can cause browsers to terminate comments prematurely. For example, when a <style> tag contains a comment like <!--</style>-->, the browser may interpret the </style> as closing the style block rather than treating it as comment content. This parsing differential enables attackers to inject arbitrary HTML and JavaScript that bypasses the sanitizer.
Attack Vector
The attack is network-based and requires user interaction. An attacker must craft a malicious note containing specially formatted HTML comments and convince a victim to open the note using Joplin's Rich Text Editor. The attack vector includes:
- Note Sharing: Attacker shares a malicious note through Joplin's sync or import features
- Note Import: Victim imports an ENEX or other note format containing the payload
- Collaborative Environments: In shared notebook scenarios, compromised notes propagate to other users
The Rich Text Editor lacks the cross-origin isolation protection present in the Markdown viewer, making it the primary exploitation target.
// Vulnerable code - comment data passed through without escaping
// Source: https://github.com/laurent22/joplin/commit/9b505395918bc923f34fe6f3b960bb10e8cf234e
const parser = new htmlparser2.Parser({
oncomment: (encodedData: string) => {
output.push(`<!--${encodedData}-->`);
},
onopentag: (name: string, attrs: Record<string, string>) => {
// Note: "name" and attribute names are always lowercase even
// when the input is not. So there is no need to call
Source: GitHub Commit 9b50539
Detection Methods for CVE-2025-24028
Indicators of Compromise
- Unexpected JavaScript execution or behavior when viewing notes in Joplin
- Notes containing unusual HTML comment sequences with embedded < or > characters
- Suspicious network requests originating from the Joplin application
- Unexplained modifications to Joplin settings or data
Detection Strategies
- Monitor Joplin application logs for unusual rendering errors or script execution warnings
- Implement endpoint detection rules for suspicious HTML patterns in note content
- Review imported notes and shared notebook content for malformed HTML comments
- Analyze application behavior for unexpected network connections or data exfiltration attempts
Monitoring Recommendations
- Enable verbose logging in Joplin to capture rendering events and errors
- Deploy application-level monitoring to detect unauthorized JavaScript execution
- Implement network traffic analysis to identify data exfiltration from Joplin processes
- Consider sandboxing the Joplin application to limit potential damage from exploitation
How to Mitigate CVE-2025-24028
Immediate Actions Required
- Upgrade Joplin to version 3.2.12 or later immediately
- Avoid opening untrusted notes in the Rich Text Editor until patched
- Use the Markdown viewer instead of Rich Text Editor for reviewing suspicious content
- Review recently imported or shared notes for suspicious content
Patch Information
The vulnerability has been addressed in Joplin version 3.2.12. The fix properly escapes < and > characters within HTML comments using htmlentities(), preventing browser parsing differentials from being exploited.
The security patch modifies the comment handler in packages/renderer/htmlUtils.ts:
// Fixed code - properly escapes special characters in comments
// Source: https://github.com/laurent22/joplin/commit/2a058ed8097c2502e152b26394dc1917897f5817
const parser = new htmlparser2.Parser({
oncomment: (data: string) => {
// Ensure that <s and >s are escaped within comments. In some cases,
// these characters can end a comment early (e.g. <style><!--</style>-->)
output.push(`<!--${htmlentities(data)}-->`);
},
onopentag: (name: string, attrs: Record<string, string>) => {
Source: GitHub Security Patch
For additional technical details, refer to the GitHub Security Advisory GHSA-5w3c-wph9-hq92.
Workarounds
- There are no known workarounds for this vulnerability; upgrading to version 3.2.12 is the only solution
- Use the Markdown viewer instead of Rich Text Editor as a temporary risk reduction measure (note: Markdown viewer has cross-origin isolation but may still be affected)
- Avoid importing notes from untrusted sources until the application is updated
- Consider disabling note synchronization from shared sources until patched
# Verify Joplin version and update
# Check current version in Joplin: Help > About Joplin
# Update via package manager (if installed via snap)
snap refresh joplin-desktop
# Or download latest version from official website
# https://joplinapp.org/download/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
