Plattform
nodejs
Komponente
joplin
Behoben in
3.3.4
CVE-2025-27409 describes a Path Traversal vulnerability discovered in Joplin Server. This flaw allows attackers to potentially read sensitive files outside of the intended directories by manipulating file paths related to plugin assets. The vulnerability impacts versions of Joplin Server up to and including 3.3.3. A fix is available in version 3.3.3.
An attacker exploiting this vulnerability can leverage the findLocalFile function within the default route to read arbitrary files on the server. By crafting malicious requests targeting css/pluginAssets or js/pluginAssets paths, they can bypass intended access controls. This could lead to the exposure of configuration files, source code, or other sensitive data stored on the server. The potential impact extends beyond simple data disclosure; an attacker could potentially modify or delete files, leading to service disruption or further compromise.
CVE-2025-27409 was publicly disclosed on 2025-04-30. Currently, there are no known active campaigns exploiting this vulnerability. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's nature suggests that it is likely to be exploited once a PoC is released. The vulnerability is not currently listed on the CISA KEV catalog.
Users running Joplin Server versions prior to 3.3.3, particularly those with publicly accessible instances or those hosting sensitive data, are at significant risk. Shared hosting environments where Joplin Server is installed could also be vulnerable, as the attacker might be able to exploit the vulnerability to access files belonging to other users on the same server.
• nodejs / server:
grep -r 'pluginAssets' /var/log/joplin/server.log
grep -r 'css/pluginAssets' /var/log/joplin/server.log
grep -r 'js/pluginAssets' /var/log/joplin/server.log• generic web:
curl -I 'http://your-joplin-server/css/pluginAssets/../../../../etc/passwd'disclosure
Exploit-Status
EPSS
0.61% (70% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-27409 is to upgrade Joplin Server to version 3.3.3 or later, which contains the necessary fix. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing css/pluginAssets or js/pluginAssets in the path. Additionally, restrict file permissions on the Joplin Server directory to minimize the potential damage from a successful exploit. After upgrading, verify the fix by attempting to access files outside the intended directories via the affected endpoints; access should be denied.
Actualice Joplin Server a la versión 3.3.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del panel de administración o descargando la última versión del software.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-27409 is a Path Traversal vulnerability affecting Joplin Server versions up to 3.3.3, allowing attackers to read files outside intended directories.
Yes, if you are running Joplin Server version 3.3.3 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade Joplin Server to version 3.3.3 or later to patch this vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature suggests it could be targeted.
Please refer to the official Joplin security advisories on their website or GitHub repository for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.