Overview
Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. It offers an event-driven, non-blocking I/O model that makes it lightweight and efficient, and is widely used in web applications and server-side development.
A Path Traversal vulnerability has been identified in Node.js on Windows. An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.
This vulnerability affects Windows users of path.join API.
This vulnerability affects specific versions of the package and can result in Path Traversal. Details on affected versions and reproduction steps are provided below.
Details
Module Info
- Affected packages: Node.js
- Affected versions: 4.0 < 20.19.4, 22 < 22.17.1, 24 < 24.4.1
- GitHub repository: https://github.com/nodejs/node
- Published packages: https://github.com/nodejs/node/releases
- Package manager: npm
- Fixed in: Node.js NES version v12, v14, v16, v18, v20
Vulnerability Info
In a scenario where an attacker sends a malicious url, the system may fail to handle the device name correctly, leading to a Path Traversal.
This vulnerability is a result of flawed logic, and may allow attackers to completely disrupt the service.
- https://nodejs.org/en/blog/vulnerability/july-2025-security-releases
Mitigation
This vulnerability is not fixed upstream due to the release line being EOL. Herodevs has issued patched builds under the NES (Never Ending Support) line.
- Update to a patched LTS version of Node.js
- Leverage a commercial support partner like HeroDevs for post-EOL security.
Refer to the NES documentation for upgrade instructions.
Credits
- oblivionsage
