CVE-2025-24028: 
NixOS vulnerability analysis and mitigation

Joplin, a free and open source note-taking application, was found to contain a critical XSS vulnerability (CVE-2025-24028) that affects versions 3.2.6 through 3.2.11. The vulnerability was discovered in early 2025 and publicly disclosed on February 7, 2025. The issue affects the application's HTML sanitizer handling of comments in both the Rich Text Editor and Markdown viewer components (GitHub Advisory).

The vulnerability stems from inconsistencies between how Joplin's HTML sanitizer processes comments and how the browser handles them. While both the Rich Text Editor and Markdown viewer are affected, the Markdown viewer's cross-origin isolation prevents JavaScript from directly accessing functions/variables in the toplevel Joplin window, limiting the impact. The vulnerability was introduced in commit 9b50539 and has been assigned a CVSS v3.1 base score of 7.8 HIGH with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to execute arbitrary code through the Rich Text Editor when users open untrusted notes. Due to the application's architecture, the impact is particularly severe in the Rich Text Editor component, where the lack of cross-origin isolation permits full access to the main application context (GitHub Advisory).

The vulnerability has been addressed in version 3.2.12, which improves comment escaping as evidenced by commit 2a058ed. All users are advised to upgrade to this version as there are no known workarounds for this vulnerability (GitHub Advisory).