Primary

Context

Node.js Windows Device Names Path Traversal Vulnerability

Vulnerability

A vulnerability has been identified in Node.js that affects the `path.join` API on Windows systems. This issue arises from an incomplete fix for a previous vulnerability (CVE-2025-23084) and specifically impacts Windows device names such as CON, PRN, and AUX. The vulnerability allows these device names to bypass path traversal protections, potentially leading to unintended file access or manipulation.

Impact

Exploitation of this vulnerability could allow for path traversal attacks, where an attacker could manipulate file paths to access or modify files outside of the intended directory structure.

Remediation

Users can update to the latest versions of Node.js in the 20.x, 22.x, and 24.x release lines to address this vulnerability.

Added: Jul 18, 2025, 11:19 PM

Updated: Jul 18, 2025, 11:19 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.7

remediation

0.0

relevance

0.3

threat

0.1

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

3.3

exploitability

4.7

remediation

0.0

relevance

0.3

threat

0.1

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js Windows Device Names Path Traversal Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating