High-Severity Path Traversal Vulnerability Affects Node.js on Windows, Patches Released
.webp&w=3840&q=75)
Node.js has released urgent security updates to address a high-severity path traversal vulnerability, identified as CVE-2025-27210, specifically impacting applications running on Windows. The flaw, which allows attackers to bypass path protection mechanisms using Windows device names, was officially acknowledged, patched, and disclosed by the Node.js security team on July 15, 2025.
The vulnerability stems from an incomplete fix for a previous issue (CVE-2025-23084), where Node.js functions like path.normalize() and path.join() mishandled reserved Windows device names such as CON, PRN, and AUX. This oversight permits malicious actors to craft paths that bypass intended security controls, potentially leading to unauthorized access to system files or sensitive directories. The Node.js project stated in its security release, "An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX."
Security researcher Oblivion Sage first discovered and reported the zero-day vulnerability, as announced in a tweet:
"Found a 0day in Node.js - CVE-2025-27210 Discovered a path traversal vulnerability in Node.js (Windows path traversal via device names)! Officially acknowledged, patched & disclosed by the Node.js security team!"
This critical flaw affects all active Node.js release lines on Windows, including versions 20.x, 22.x, and 24.x. The Node.js security team, with a fix implemented by RafaelGSS, has released updated versions to mitigate the risk. These include Node.js v20.19.4, v22.17.1, and v24.4.1.
In addition to CVE-2025-27210, the July 15 security releases also address another high-severity issue, CVE-2025-27209, a HashDoS vulnerability affecting Node.js v24.x. This flaw, discovered by sharp_edged, reintroduces a hash collision vulnerability through changes in the V8 JavaScript engine's string hashing implementation, potentially leading to denial-of-service conditions.
Organizations and developers are strongly urged to update their Node.js installations immediately to the latest patched versions to protect against these vulnerabilities. Maintaining current software versions is crucial, as End-of-Life Node.js releases remain susceptible to these and other security threats.