CVE-2025-27210

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20.19.4 through 24.4.1

Description A path traversal vulnerability exists in Node.js when running on Microsoft Windows. The path.normalize() function fails to block Windows device names such as CON, PRN, and AUX, allowing attackers to exploit this behavior for path traversal attacks. The vulnerability leverages the specific way Windows handles reserved device filenames.

Recommendations Node.js versions prior to 20.19.4 should be updated. Node.js versions prior to 22.17.1 should be updated. Node.js versions prior to 24.4.1 should be updated.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2025-09382

BIT-NODE-2025-27210

BIT-NODE-MIN-2025-27210

CVE-2025-27210

Affected Products

Node.Js

CVE-2025-27210

Weakness Enumeration

Related Identifiers

Affected Products

References · 48