Description
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of `path.join` API.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6Attack Vector: Local
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None
Affected Packages4 packages
🔴Vulnerability Details
4OSVCVE-2025-23084: A vulnerability has been identified in Node↗2025-01-28 CVEListCVE-2025-23084: A vulnerability has been identified in Node↗2025-01-28 OSVCVE-2025-23084: A vulnerability has been identified in Node↗2025-01-28 GHSAGHSA-37v4-cwgp-x353: A vulnerability has been identified in Node↗2025-01-28 📋Vendor Advisories
3OracleOracle Oracle PeopleSoft Risk Matrix: OpenSearch Dashboards (Node.js) — CVE-2025-23084↗2025-07-15 OracleOracle Oracle Communications Applications Risk Matrix: Core (Node.js) — CVE-2025-23084↗2025-04-15 DebianCVE-2025-23084: nodejs - A vulnerability has been identified in Node.js, specifically affecting the handl...↗2025 💬Community
1HackerOneWindows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()↗2025-07-15