CVE-2025-23084

CVSS 5.6 MEDIUMEPSS 1.4%CWE-22

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Productos afectados

NodeJS · Node

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases https://security.netapp.com/advisory/ntap-20250321-0003/http://www.openwall.com/lists/oss-security/2025/07/22/2