Node.js Vulnerability Impacting Windows Drive Name Handling
CVE-2025-23084

Currently unrated

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 28 January 2025

What is CVE-2025-23084?

A security flaw has been discovered in Node.js that affects the handling of drive names on Windows systems. This issue arises when certain Node.js functions misinterpret drive names as regular paths instead of special identifiers. Consequently, even when a relative path is expected, Node.js may incorrectly reference the root directory instead of the intended location. This vulnerability specifically targets the path.join API, impacting Windows users who rely on accurate directory referencing.

Affected Version(s)

node 18.20.5

node 20.18.1

node 22.13.0

References

https://nodejs.org/en/blog/vulnerability/january-2025-sec...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 10, 2025

Nodejs

What is CVE-2025-23084?

Affected Version(s)

References

Timeline