CVE-2025-57798
Deferred Deferred - Pending Action
Denial of Service in Joplin via Long Title Input

Publication date: 2026-05-19

Last updated on: 2026-05-20

Assigner: GitHub, Inc.

Description
Joplin is an open source note-taking and to-do application that organises notes and lists into notebooks. Versions 3.6.14 and prior contain a Denial of Service (DoS) vulnerability in the title input functionality due to a lack of proper length validation. This flaw allows an attacker to cause an Out Of Memory (OOM) error and subsequent program termination by inserting an excessively long string into a note's title. This can be triggered either through direct user interface (UI) input or programmatically via the local web service API after compromising an authentication token. There are 2 primary methods of exploitation: via User Interface (UI) Input, and the Local Web Service API. A local user can directly type or paste an extremely long string into the title field when creating or editing a note Joplin runs a local web service (typically on port 41184) that allows programmatic interaction, such as creating or editing notes via HTTP API calls. If an attacker manages to exfiltrate or compromise the user's authentication token (e.g., through malware on the local system, or other local vulnerabilities), they can then send a crafted HTTP POST request to this local API. By including an excessively long string in the title parameter of this request, the application will attempt to allocate an unbounded amount of memory. This issue has been patched in version 3.7.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-05-20
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2025-57798
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
laurent app to 3.7.1 (exc)
laurent app joplin
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Joplin, an open source note-taking application, specifically in versions 3.6.14 and earlier. It is a Denial of Service (DoS) flaw caused by improper length validation in the note title input functionality.

An attacker can exploit this by inserting an excessively long string into a note's title, which causes the application to attempt to allocate an unbounded amount of memory, leading to an Out Of Memory (OOM) error and program termination.

There are two main ways to exploit this: directly through the user interface by typing or pasting a very long string into the title field, or programmatically via the local web service API if the attacker has compromised the user's authentication token.

This vulnerability has been fixed in version 3.7.1 of Joplin.

Impact Analysis

The primary impact of this vulnerability is a Denial of Service (DoS) condition.

By exploiting the flaw, an attacker can cause the Joplin application to crash due to an Out Of Memory (OOM) error, which disrupts normal use of the application.

If an attacker gains access to the local web service API through a compromised authentication token, they can remotely trigger this crash, potentially causing loss of availability of the note-taking service.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large or excessively long strings being input into the title field of notes in Joplin, either through the user interface or via the local web service API.

To detect exploitation attempts via the local web service API, you can monitor HTTP POST requests to the local web service, typically running on port 41184, and look for requests where the title parameter contains an excessively long string.

Example commands to help detect such activity include:

  • Using netstat or ss to check if the local web service is running on port 41184: `netstat -an | grep 41184` or `ss -an | grep 41184`
  • Using a network packet capture tool like tcpdump to monitor HTTP POST requests to port 41184: `tcpdump -i lo port 41184 and tcp`
  • Inspecting logs or capturing HTTP traffic to identify POST requests with unusually long title parameters.

Additionally, monitoring the application for Out Of Memory (OOM) errors or crashes when creating or editing notes can also indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade Joplin to version 3.7.1 or later, where this vulnerability has been patched.

Until the upgrade can be applied, avoid entering or allowing input of excessively long strings in the note title field.

Restrict access to the local web service API by securing or disabling it if not needed, and protect authentication tokens to prevent unauthorized API access.

Monitor the system for signs of Out Of Memory errors or unexpected application termination, which may indicate exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-57798. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart