CVE-2025-57798 Overview
CVE-2025-57798 is a Denial of Service (DoS) vulnerability in Joplin, an open source note-taking and to-do application. The flaw affects versions 3.6.14 and prior. The application fails to validate the length of the title field when creating or editing notes. An attacker can submit an excessively long string, causing the application to allocate unbounded memory and terminate with an Out Of Memory (OOM) error. The issue is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling]. The vulnerability has been patched in version 3.7.1.
Critical Impact
Local attackers with low privileges can crash the Joplin application by submitting an oversized title string through the UI or the local web service API on port 41184.
Affected Products
- Joplin Desktop versions 3.6.14 and prior
- Joplin Mobile versions 3.6.14 and prior
- Joplin local web service API (default port 41184)
Discovery Timeline
- 2026-05-19 - CVE-2025-57798 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2025-57798
Vulnerability Analysis
The vulnerability resides in Joplin's note model layer, specifically in the userSideValidation function within packages/lib/BaseModel.ts. The function validated identifiers and timestamps but did not enforce any length constraint on the title parameter. When a caller supplies a string of arbitrary size, the application attempts to process and store the entire value in memory. Large inputs trigger an Out Of Memory condition that terminates the Joplin process.
The vulnerability is classified under [CWE-770] for missing resource allocation limits. Exploitation results in loss of availability only — confidentiality and integrity are not affected.
Root Cause
The root cause is missing input length validation in the note model. The pre-patch userSideValidation signature accepted only id, user_updated_time, and user_created_time. Title content bypassed validation entirely and propagated to memory allocation paths without bounds checking.
Attack Vector
There are two exploitation paths. A local user can paste an extremely long string directly into the title field through the user interface when creating or editing a note. Alternatively, an attacker who has compromised the user's authentication token can send a crafted HTTP POST request to the local web service (typically listening on port 41184), including an oversized title parameter. Both paths cause the same OOM condition and process termination.
// Patch in packages/lib/BaseModel.ts
// Adds title to the validated fields so length can be checked
- public static userSideValidation(o: { id?: string; user_updated_time?: number; user_created_time?: number }) {
+ public static userSideValidation(o: { id?: string; title?: string; user_updated_time?: number; user_created_time?: number }) {
if (o.id && !o.id.match(/^[a-f0-9]{32}$/)) {
throw new Error('Validation error: ID must a 32-characters lowercase hexadecimal string');
}
Source: Joplin GitHub Commit 5b8795d
Detection Methods for CVE-2025-57798
Indicators of Compromise
- Repeated Joplin application crashes or unexpected terminations on a user's workstation
- HTTP POST requests to localhost:41184 containing unusually large title field payloads
- Spikes in process memory consumption attributed to the Joplin executable prior to termination
- Unexpected reads of the Joplin authentication token from disk or memory by non-Joplin processes
Detection Strategies
- Monitor process exit codes and crash reports for the Joplin binary, correlating with preceding memory pressure events
- Inspect local HTTP traffic to port 41184 for POST requests with abnormally large request bodies
- Track file access to the Joplin profile directory and authentication token storage by unauthorized processes
Monitoring Recommendations
- Enable host-based logging for Joplin process lifecycle events and memory usage thresholds
- Alert on local API requests to 127.0.0.1:41184 originating from processes other than Joplin or expected automation tools
- Audit access patterns to the Joplin token to detect exfiltration attempts by local malware
How to Mitigate CVE-2025-57798
Immediate Actions Required
- Upgrade Joplin Desktop and Mobile to version 3.7.1 or later on all affected endpoints
- Rotate the Joplin Web Clipper authentication token if there is any suspicion of local compromise
- Restrict access to the local web service port 41184 using host firewall rules
Patch Information
The issue is patched in Joplin version 3.7.1. The fix adds the title field to the userSideValidation function in packages/lib/BaseModel.ts, allowing length validation before memory allocation. Full details are available in GitHub Security Advisory GHSA-6jm8-gr87-q69x and the corresponding commit 5b8795d.
Workarounds
- Disable the Web Clipper service in Joplin settings if the local API is not required
- Avoid pasting untrusted content directly into note titles until the patched version is deployed
- Bind the local web service to loopback only and block external access at the host firewall
# Verify installed Joplin version and confirm patched release
joplin --version
# Expected output: 3.7.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
