CVE-2025-25187: 
NixOS vulnerability analysis and mitigation

Joplin, a free and open source note taking application, was found to contain a cross-site scripting (XSS) vulnerability (CVE-2025-25187) that allows arbitrary code execution. The vulnerability was discovered in versions 3.1.23 and earlier, and has been patched in version 3.1.24. The issue stems from note titles being added to the document using React's dangerouslySetInnerHTML without proper HTML entity escaping, combined with a lack of restrictive Content-Security-Policy for script-src (GitHub Advisory).

The vulnerability exists due to multiple security issues working together: 1) Note titles are added using React's dangerouslySetInnerHTML without HTML entity escaping, 2) The application lacks a Content-Security-Policy with a restrictive script-src, allowing arbitrary JavaScript execution via inline event handlers, and 3) The main window is created with nodeIntegration set to true. The vulnerability has been present since at least March 2020. The issue has been assigned a CVSS v3.1 score of 7.8 (High) with vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary shell commands through the ctrl+p search dialog when a user searches for content containing malicious note titles. This affects any user who receives notes from unknown sources and uses the ctrl+p search functionality. The high CVSS score reflects potential impacts on confidentiality, integrity, and availability of the system (GitHub Advisory).

The vulnerability has been patched in Joplin version 3.1.24. All users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).