Skip to main content

Joplin CVE-2025-57798

| EUVD-2025-209900 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-19 GitHub_M
Denial Of Service
5.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 19, 2026 - 22:02 EUVD
Source Code Evidence Fetched
May 19, 2026 - 21:15 vuln.today
Analysis Generated
May 19, 2026 - 21:15 vuln.today

DescriptionNVD

Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1.

AnalysisAI

Denial of service via unbounded memory allocation in Joplin note-taking application versions 3.6.14 and prior crashes the application by exhausting system memory when an excessively long string is provided as a note title. Authenticated local users with access to the Joplin UI, or attackers holding a compromised local API token, can trigger this Out Of Memory condition through either direct UI interaction or an HTTP POST to the local web service API (default port 41184). No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, exploitation requires only low privileges and no user interaction once access is established.

Technical ContextAI

The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) in Joplin's BaseModel TypeScript class, specifically in the userSideValidation() method, which previously accepted a title parameter of arbitrary length without enforcing any upper bound. When an unbounded string is processed, the Node.js/Electron runtime attempts to allocate memory proportional to the string length, resulting in an OOM crash and process termination. The affected CPE is cpe:2.3:a:laurent22:joplin:*:*:*:*:*:*:*:*, covering all Joplin desktop application builds through 3.6.14. The local web service API, typically bound to localhost port 41184, provides a programmatic HTTP interface to the same underlying model layer, making it a secondary attack surface that shares the same unvalidated code path. The fix, visible in commit 5b8795da, adds a hard 4096-character cap enforced by throwing a validation error before memory allocation occurs.

RemediationAI

Upgrade Joplin to version 3.7.1 or later, which contains the fix introduced in commit 5b8795da446a5a40c9e212c98b35e368ffce628e (https://github.com/laurent22/joplin/commit/5b8795da446a5a40c9e212c98b35e368ffce628e); the patch adds a strict 4096-character limit on note titles via the userSideValidation() method. Full advisory details are available at https://github.com/laurent22/joplin/security/advisories/GHSA-6jm8-gr87-q69x. If immediate upgrade is not possible, administrators or power users can restrict access to the local web service API (port 41184) using host-based firewall rules to block or rate-limit connections to that port, reducing the programmatic API attack surface; this does not eliminate the UI-based vector. Note that blocking port 41184 will disable browser extensions and other integrations that rely on the Joplin local API. There is no known configuration option to disable title length input directly without patching.

Share

CVE-2025-57798 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy