@joplin/lib 2.10.2

Direct Vulnerabilities

Known vulnerabilities in the @joplin/lib package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Allocation of Resources Without Limits or Throttling @joplin/lib is a joplin core library. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `title` input. An attacker can cause the application to consume excessive memory and terminate unexpectedly by submitting an extremely long string through the user interface or by sending a crafted HTTP POST request to the local web service API after obtaining a valid authentication token. Note: This is only exploitable if the attacker has access to the local system or can compromise the user's authentication token. How to fix Allocation of Resources Without Limits or Throttling? A fix was pushed into the `master` branch but not yet published.	*
H Arbitrary Code Injection @joplin/lib is a joplin core library. Affected versions of this package are vulnerable to Arbitrary Code Injection due to the improper handling of URI schemes in the `openExternal` function. Note: This is exploitable only for Windows environments. How to fix Arbitrary Code Injection? Upgrade `@joplin/lib` to version 2.14.1 or higher.	<2.14.1
M Arbitrary Code Injection @joplin/lib is a joplin core library. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanizitazion by `Mermaid` integration in `<a>` tags markdown previews. An attacker can execute arbitrary code, allowing execution within the Electron window with full Node.js API access. How to fix Arbitrary Code Injection? Upgrade `@joplin/lib` to version 3.2.2 or higher.	<3.2.2
M Cross-site Scripting (XSS) @joplin/lib is a joplin core library. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `onload` attribute of images copied and pasted into the rich text editor. How to fix Cross-site Scripting (XSS)? Upgrade `@joplin/lib` to version 2.12.1 or higher.	<2.12.1

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

@joplin/lib is a joplin core library.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the title input. An attacker can cause the application to consume excessive memory and terminate unexpectedly by submitting an extremely long string through the user interface or by sending a crafted HTTP POST request to the local web service API after obtaining a valid authentication token.

Note: This is only exploitable if the attacker has access to the local system or can compromise the user's authentication token.

How to fix Allocation of Resources Without Limits or Throttling?

A fix was pushed into the master branch but not yet published.

Arbitrary Code Injection

@joplin/lib is a joplin core library.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to the improper handling of URI schemes in the openExternal function.

Note: This is exploitable only for Windows environments.

How to fix Arbitrary Code Injection?

Upgrade @joplin/lib to version 2.14.1 or higher.

<2.14.1

Arbitrary Code Injection

@joplin/lib is a joplin core library.

Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanizitazion by Mermaid integration in <a> tags markdown previews. An attacker can execute arbitrary code, allowing execution within the Electron window with full Node.js API access.

How to fix Arbitrary Code Injection?

Upgrade @joplin/lib to version 3.2.2 or higher.

<3.2.2

Cross-site Scripting (XSS)

@joplin/lib is a joplin core library.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the onload attribute of images copied and pasted into the rich text editor.

How to fix Cross-site Scripting (XSS)?

Upgrade @joplin/lib to version 2.12.1 or higher.

<2.12.1

@joplin/lib@2.10.2

Joplin Core library

latest version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically