CVE-2025-27210

Published Jul 18, 2025

Last updated 8 months ago

CVSS high 7.5
Node.js
Windows
npm

Overview

Description
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
Source
support@hackerone.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.0

Type
Secondary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-22

Social media

Hype score
Not currently trending

  1. Node.js の脆弱性対応予定?の CVE-2025-27210 のソースこれじゃないかな?対応されたと書いてあるけど、対応できてなくない?というissueが出てる。 https://t.co/6s2N6B2Bmm

    @karan_corons

    16 Dec 2025

    759 Impressions

    0 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Found myself testing an app last week with historical path traversal issues.. Yes, they still exist in 2025 😅 (CVE-2025-27553 / CVE-2025-27210). I didn’t love the existing path traversal tools I found So I built my own: TraverseCheck ✅Checks URL Path and query parame

    @TurvSec

    21 Oct 2025

    177 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    1 Reply

    0 Quotes

  3. CVE-2025-27210 – High Severity Path Traversal in Node.js (Windows) Any app on 20.x<20.19.4, 22.x<22.17.1, 24.x<24.4.1 may allow unauthorized file access. ⚡️ Update now! | ℹ️ https://t.co/cprLbclapy #cve https://t.co/lbwM86kngs

    @Netlas_io

    14 Aug 2025

    289 Impressions

    3 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  4. Node.js Team: CVE for one bug, “not a vuln” for the next? My first Windows device name path bug got a CVE & patch (CVE-2025-27210). My second report, same root cause, different attack vector (UNC path) , was dismissed as “informative”. Here’s the public disclosure

    @theoblivionsage

    28 Jul 2025

    137 Impressions

    0 Retweets

    3 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  5. ⚠️Vulnerabilidades en Node.js ❗CVE-2025-27209 ❗CVE-2025-27210 ➡️Más info: https://t.co/F4UeqadSvz https://t.co/Iu97td1AcV

    @CERTpy

    24 Jul 2025

    98 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. ⚠️Vulnerabilidades en Node.js ❗CVE-2025-27209 ❗CVE-2025-27210 ➡️Más info: https://t.co/f2f9WvQE7y https://t.co/T8tm1vT2Zg

    @CERTpy

    23 Jul 2025

    103 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. kusanagi-nodejs22 モジュール更新情報 22.17.1-1 KUSANAGI 9 を構成している各モジュールのアップデートを行いました。 アップデートにより適用される各モジュールのバージョンは、以下のとおりとなります。 nodejs 22

    @kusanagi_saya

    23 Jul 2025

    72 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. CVE-2025-27210 Github link: https://t.co/lJT3VGHaHu

    @PoC_in_Github

    19 Jul 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-27210 : Node.JS Path Traversal PoC Proof of Concept CVE-2025-27210, a precise Path Traversal vulnerability affecting Node.js applications running on Microsoft Windows. This vulnerability leverages the specific way Windows handles reserved device file names (

    @PsalmWell

    19 Jul 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  10. CVE-2025-27210 An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affect… https://t.co/R5fCclfO1w

    @CVEnew

    18 Jul 2025

    484 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  11. 🚨 Node.js Security Updates Released (July 15, 2025) High severity fixes for: • path.normalize() Windows device names bypass (CVE-2025-27210) • HashDoS in V8 (CVE-2025-27209) Affects: 20.x, 22.x, 24.x Update now: https://t.co/VsLZeDjaNW #NodeJS #Security

    @NodeSource

    16 Jul 2025

    123 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-27210: Node JS Path Traversal PoC https://t.co/m4RSbtQBQd

    @freedomhack101

    16 Jul 2025

    95 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  13. #Poc CVE-2025-27210 Node.JS Path Traversal https://t.co/ddYZN3n00R #Node #cve https://t.co/7KwpBVzrzN

    @absholi7ly

    16 Jul 2025

    234 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    2 Replies

    0 Quotes

  14. 🚨🚨Node.js alert! Two critical vulnerabilities exposed: CVE-2025-27210: Windows Path Traversal! Attackers exploit path.normalize() & path.join() to access unauthorized files. CVE-2025-27209: HashDoS via rapidhash in V8 risks app crashes. ZoomEye Dork👉app="Node.

    @zoomeye_team

    16 Jul 2025

    1991 Impressions

    5 Retweets

    35 Likes

    16 Bookmarks

    1 Reply

    0 Quotes

  15. 🚨Alert🚨 Two High-Severity Node.js Flaws: CVE-2025-27210:Path Traversal Bypass Using Windows Device Names CVE-2025-27209:HashDoS Reintroduced via rapidhash in V8 📊26M Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/c8Twy64jOS 👇Que

    @HunterMapping

    16 Jul 2025

    2752 Impressions

    9 Retweets

    52 Likes

    19 Bookmarks

    1 Reply

    0 Quotes

  16. Found a 0day in Node.js - CVE-2025-27210 Discovered a path traversal vulnerability in Node.js (Windows path traversal via device names)! Officially acknowledged, patched & disclosed by the Node.js security team! https://t.co/aEQxIiG0gV https://t.co/BFC6F0jm2l https://t.co

    @theoblivionsage

    15 Jul 2025

    6750 Impressions

    12 Retweets

    154 Likes

    56 Bookmarks

    3 Replies

    0 Quotes

Related CVEs

  1. Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.CVE-2026-23864
  2. npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.CVE-2026-0775
  3. We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions.CVE-2025-59466
  4. systeminformation is a System and OS information library for node.js. In versions prior to 5.27.14, the `fsSize()` function in systeminformation is vulnerable to OS command injection on Windows systems. The optional `drive` parameter is directly concatenated into a PowerShell command without sanitization, allowing arbitrary command execution when user-controlled input reaches this function. The actual exploitability depends on how applications use this function. If an application does not pass user-controlled input to `fsSize()`, it is not vulnerable. Version 5.27.14 contains a patch.CVE-2025-68154
  5. It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.CVE-2025-67779

References

Sources include official advisories and independent security research.