Node.js Vulnerability Impacting Windows Drive Name Handling
CVE-2025-23084

5.5MEDIUM

Key Information:

Vendor: Nodejs
Status: Node
Vendor: CVE Published:; 28 January 2025

What is CVE-2025-23084?

A security flaw has been discovered in Node.js that affects the handling of drive names on Windows systems. This issue arises when certain Node.js functions misinterpret drive names as regular paths instead of special identifiers. Consequently, even when a relative path is expected, Node.js may incorrectly reference the root directory instead of the intended location. This vulnerability specifically targets the path.join API, impacting Windows users who rely on accurate directory referencing.

Affected Version(s)

node 18.20.5

node 20.18.1

node 22.13.0

References

https://nodejs.org/en/blog/vulnerability/january-2025-sec...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 28, 2025
Vulnerability Reserved
Jan 10, 2025

Nodejs

What is CVE-2025-23084?

Affected Version(s)

References

CVSS V3.1

Timeline