CVE-2025-27210

Published Jul 18, 2025

Last updated a month ago

CVSS high 7.5
Windows
Node.js

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-27210 is a path traversal vulnerability affecting Node.js applications on Windows platforms. It stems from an incomplete fix for CVE-2025-23084 and involves the way the `path.normalize()` and `path.join()` APIs handle Windows device names like CON, PRN, and AUX. Attackers can exploit this vulnerability to bypass directory traversal protections by manipulating these special device names. This can lead to unauthorized access to files or directories. The vulnerability affects Node.js versions 20.x, 22.x, and 24.x.

Description
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
Source
support@hackerone.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. CVE-2025-27210 – High Severity Path Traversal in Node.js (Windows) Any app on 20.x<20.19.4, 22.x<22.17.1, 24.x<24.4.1 may allow unauthorized file access. ⚡️ Update now! | ℹ️ https://t.co/cprLbclapy #cve https://t.co/lbwM86kngs

    @Netlas_io

    14 Aug 2025

    289 Impressions

    3 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  2. Node.js Team: CVE for one bug, “not a vuln” for the next? My first Windows device name path bug got a CVE & patch (CVE-2025-27210). My second report, same root cause, different attack vector (UNC path) , was dismissed as “informative”. Here’s the public disclosure

    @theoblivionsage

    28 Jul 2025

    137 Impressions

    0 Retweets

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. ⚠️Vulnerabilidades en Node.js ❗CVE-2025-27209 ❗CVE-2025-27210 ➡️Más info: https://t.co/F4UeqadSvz https://t.co/Iu97td1AcV

    @CERTpy

    24 Jul 2025

    98 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. ⚠️Vulnerabilidades en Node.js ❗CVE-2025-27209 ❗CVE-2025-27210 ➡️Más info: https://t.co/f2f9WvQE7y https://t.co/T8tm1vT2Zg

    @CERTpy

    23 Jul 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. kusanagi-nodejs22 モジュール更新情報 22.17.1-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 nodejs 22

    @kusanagi_saya

    23 Jul 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-27210 Github link: https://t.co/lJT3VGHaHu

    @PoC_in_Github

    19 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-27210 : Node.JS Path Traversal PoC Proof of Concept CVE-2025-27210, a precise Path Traversal vulnerability affecting Node.js applications running on Microsoft Windows. This vulnerability leverages the specific way Windows handles reserved device file names (

    @PsalmWell

    19 Jul 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  8. CVE-2025-27210 An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affect… https://t.co/R5fCclfO1w

    @CVEnew

    18 Jul 2025

    484 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  9. 🚨 Node.js Security Updates Released (July 15, 2025) High severity fixes for: • path.normalize() Windows device names bypass (CVE-2025-27210) • HashDoS in V8 (CVE-2025-27209) Affects: 20.x, 22.x, 24.x Update now: https://t.co/VsLZeDjaNW #NodeJS #Security

    @NodeSource

    16 Jul 2025

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. CVE-2025-27210: Node JS Path Traversal PoC https://t.co/m4RSbtQBQd

    @freedomhack101

    16 Jul 2025

    95 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  11. #Poc CVE-2025-27210 Node.JS Path Traversal https://t.co/ddYZN3n00R #Node #cve https://t.co/7KwpBVzrzN

    @absholi7ly

    16 Jul 2025

    234 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  12. 🚨🚨Node.js alert! Two critical vulnerabilities exposed: CVE-2025-27210: Windows Path Traversal! Attackers exploit path.normalize() & path.join() to access unauthorized files. CVE-2025-27209: HashDoS via rapidhash in V8 risks app crashes. ZoomEye Dork👉app="Node.

    @zoomeye_team

    16 Jul 2025

    1991 Impressions

    5 Retweets

    35 Likes

    16 Bookmarks

    1 Reply

    0 Quotes

  13. 🚨Alert🚨 Two High-Severity Node.js Flaws: CVE-2025-27210:Path Traversal Bypass Using Windows Device Names CVE-2025-27209:HashDoS Reintroduced via rapidhash in V8 📊26M Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/c8Twy64jOS 👇Que

    @HunterMapping

    16 Jul 2025

    2752 Impressions

    9 Retweets

    52 Likes

    19 Bookmarks

    1 Reply

    0 Quotes

  14. Found a 0day in Node.js - CVE-2025-27210 Discovered a path traversal vulnerability in Node.js (Windows path traversal via device names)! Officially acknowledged, patched & disclosed by the Node.js security team! https://t.co/aEQxIiG0gV https://t.co/BFC6F0jm2l https://t.co

    @theoblivionsage

    15 Jul 2025

    6750 Impressions

    12 Retweets

    154 Likes

    56 Bookmarks

    3 Replies

    0 Quotes

References

Sources include official advisories and independent security research.