Skip to content

XSS in Goto Anything allows arbitrary code execution

High
laurent22 published GHSA-9gfv-q6wj-fr3c Feb 7, 2025

Package

joplin-desktop

Affected versions

<= 3.1.23

Patched versions

v3.1.24

Description

Summary

An XSS vulnerability allows note titles to execute arbitrary shell commands from the ctrl+p search dialog.

Details

This vulnerability is caused by adding note titles to the document using React's dangerouslySetInnerHTML, without first escaping HTML entities:

joplin/packages/app-desktop/plugins/GotoAnything.tsx

Line 558 in 2fc9bd4

? `<span style="font-weight: bold; color: ${theme.color};">${item.title}</span>`

Joplin lacks a Content-Security-Policy with a restrictive script-src. This allows arbitrary JavaScript execution via inline onclick/onload event handlers in unsanitized HTML. Additionally, Joplin's main window is created with nodeIntegration set to true, allowing arbitrary JavaScript execution to result in arbitrary code execution.

A git blame suggests that this vulnerability has existed since at least March 2020. A similar vulnerability may have existed before then — older logic used surroundKeywords on untrusted input, which also did not escape HTML.

PoC

  1. Create a note with the following title: 
     <style onload="alert(require('child_process').execSync('ls /'))"></style>
  2. Add someuniqueword to the note body.
  3. Press ctrl-p and search for someuniqueword.

Tested versions: 3.1.20, 3.0.14, and 2.14.23.

Note: Different shell command used with v2.14.23

While testing the PoC with v2.14.23, I used

t<style onload="require('child_process').exec('zenity --error')">*{}</style>t

as the note title. On my system, zenity --error is a shell command to display an alert dialog. The above command was used due to issues with alert().

Impact

Anyone who 1) receives notes from unknown sources and 2) uses ctrl-p to search is impacted.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE ID

CVE-2025-25187

Weaknesses

No CWEs

Credits