Platform
nodejs
Component
joplin
Fixed in
3.3.4
CVE-2025-27409 describes a Path Traversal vulnerability discovered in Joplin Server. This flaw allows attackers to potentially read sensitive files outside of the intended directories by manipulating file paths related to plugin assets. The vulnerability impacts versions of Joplin Server up to and including 3.3.3. A fix is available in version 3.3.3.
The core of this vulnerability lies in the findLocalFile function within the default route of Joplin Server. This function, when handling requests for static files, incorrectly processes paths starting with css/pluginAssets or js/pluginAssets. The localFileFromUrl function is called to check these paths, and the result is returned directly without proper validation, enabling an attacker to craft malicious URLs that traverse outside the intended directories. Successful exploitation could lead to the exposure of configuration files, source code, or other sensitive data stored on the server. The potential blast radius is significant, as an attacker could gain access to a wide range of files depending on the server's configuration and file system permissions.
CVE-2025-27409 was publicly disclosed on April 30, 2025. The vulnerability's impact is relatively straightforward to understand and exploit, potentially increasing the risk of opportunistic attacks. There is no indication of this vulnerability being actively exploited at the time of writing, nor is it currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests they are likely to emerge.
Exploit Status
EPSS
0.61% (70% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27409 is to immediately upgrade Joplin Server to version 3.3.3 or later. This version includes a fix that properly validates file paths, preventing the path traversal vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious pluginAssets paths. Carefully review and restrict file system permissions to limit the potential damage if the vulnerability is exploited. Monitor server logs for unusual file access patterns that might indicate an attempted exploit.
Actualice Joplin Server a la versión 3.3.3 o superior. Esta versión contiene una corrección para la vulnerabilidad de path traversal. La actualización se puede realizar a través del panel de administración o descargando la última versión del software.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27409 is a Path Traversal vulnerability affecting Joplin Server versions up to 3.3.3, allowing attackers to read files outside intended directories.
Yes, if you are running Joplin Server version 3.3.3 or earlier, you are vulnerable to this Path Traversal vulnerability.
Upgrade Joplin Server to version 3.3.3 or later to patch this vulnerability. Consider WAF rules as a temporary mitigation.
There is currently no confirmed evidence of active exploitation, but the vulnerability's nature suggests it could be targeted.
Please refer to the official Joplin security advisories on their website or GitHub repository for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.