Joplin Denial-of-Service Vulnerability in Title Input Functionality

A denial-of-service vulnerability has been identified in Joplin, an open-source note-taking application, in versions through 3.6.14. The issue arises from inadequate length validation in the title input, allowing an attacker to insert excessively long strings. This exploitation can be done directly through the user interface or programmatically via the local web service API, after compromising an authentication token. The flaw leads to an 'Out Of Memory' error, causing the application to crash and terminate unexpectedly.

Impact

Exploitation of this vulnerability causes the Joplin application to crash, leading to an unexpected termination of the process. This disruption can result in the loss of unsaved work, especially if notes have not been recently synchronized. Additionally, the excessive memory consumption before the crash can temporarily affect the overall performance and stability of the host machine.

Reproduction

The vulnerability can be reproduced by entering an excessively long string into the title field of a note, either through the Joplin user interface or by sending a crafted HTTP POST request to the local web service API with the long string included in the title parameter. If the API request is used, this exploitation requires prior access to a compromised authentication token.

Remediation

Users can update to Joplin version 3.7.1 or later, where this vulnerability has been patched.