Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2025-27210 — Path Traversal in Node

CWE-22 — Path Traversal8 documents7 sources

Severity

7.5HIGHNVD

CNA5.5

EPSS

4.0%

top 11.61%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Nodejs Node Nodejs

Timeline

PublishedJul 18

Latest updateJan 15

Description

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5nodejs/node20.0.0 — 20.19.4+2

▶CVEListV5nodejs/nodejs4.0 — 4.*+15

🔴Vulnerability Details

GHSA

GHSA-x33r-pvvq-wjrh: An incomplete fix has been identified for CVE-2025-23084 in Node↗2025-07-19

▶

CVEList

CVE-2025-27210: An incomplete fix has been identified for CVE-2025-23084 in Node↗2025-07-18

▶

💥Exploits & PoCs

Exploit-DB

NodeJS 24.x - Path Traversal↗2025-07-16

▶

📋Vendor Advisories

Oracle

Oracle Oracle JD Edwards Risk Matrix: E1 Dev Platform Tech - Cloud (Node.js) — CVE-2025-27210↗2026-01-15

▶

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Node.js) — CVE-2025-27210↗2025-10-15

▶

Debian

CVE-2025-27210: nodejs - An incomplete fix has been identified for CVE-2025-23084 in Node.js, specificall...↗2025

▶

💬Community

HackerOne

Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix↗2025-07-28

▶