CVE-2018-25378: Notebook Pro 2.0 Denial of Service via Notebook Name Field
Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook.
Security readout for executives and security teams
Plain-English summary
Notebook Pro 2.0 can be crashed by abuse of the notebook name field. The impact is local denial of service: lost application availability and possible interruption to users, not documented data theft or privilege escalation.
Executive priority
Handle as a moderate endpoint resilience issue. Prioritize remediation where Notebook Pro 2.0 supports business workflows or shared machines, but it should not outrank remotely exploitable or data-impacting vulnerabilities.
Technical view
CVE-2018-25378 affects Stokedonit Notebook Pro 2.0. Sources describe improper handling of excessively large notebook-name input, mapped to CWE-789, causing an application crash. CVSS 4.0 is 6.9 with local attack vector and high vulnerable-system availability impact.
Likely exposure
Exposure is limited to environments where Notebook Pro 2.0 is installed and local users can create notebooks. There is no evidence in the provided sources of network exposure, server-side impact, or other affected versions.
Exploitation context
A public ExploitDB reference exists, but the CVE is not listed as KEV and the provided sources do not state active exploitation. Treat this as publicly documented local denial of service, not confirmed in-the-wild exploitation.
Researcher notes
The record names only Notebook Pro 2.0 and only availability impact. The source bundle does not identify a vendor patch, workaround, or active exploitation. Avoid expanding scope beyond the named product/version without additional evidence.
Mitigation direction
Inventory endpoints for Stokedonit Notebook Pro 2.0 installations.
Check vendor or trusted advisory sources for updates or replacement guidance.
Remove or restrict Notebook Pro 2.0 where business need is low.
Limit use to trusted local users on managed endpoints.
Monitor for repeated Notebook Pro crashes during notebook creation.
Validation and detection
Confirm installed product name and version on managed endpoints.
Review crash reports for Notebook Pro failures tied to notebook creation.
Check whether untrusted users can access the application locally.
Validate any update, removal, or replacement in a lab first.
Document compensating controls if no vendor patch is available.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-789: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.