CVE-2025-23084

CVE-2025-23084

Name

CVE-2025-23084

Description

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
support@hackerone.com	https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20250321-0003/
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2025/07/22/2

Type

URI

support@hackerone.com

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20250321-0003/

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/07/22/2

Match rules

Source package	Min version	Max version
node	>= 4.0	< 4.*
node	>= 5.0	< 5.*
node	>= 6.0	< 6.*
node	>= 7.0	< 7.*
node	>= 8.0	< 8.*
node	>= 9.0	< 9.*
node	>= 10.0	< 10.*
node	>= 11.0	< 11.*
node	>= 12.0	< 12.*
node	>= 13.0	< 13.*
node	>= 14.0	< 14.*
node	>= 15.0	< 15.*
node	>= 16.0	< 16.*
node	>= 17.0	< 17.*
node	>= 18.0	< 18.20.6
node	>= 19.0	< 19.*
node	>= 20.0	< 20.18.2
node	>= 21.0	< 21.*
node	>= 22.0	< 22.13.1
node	>= 23.0	< 23.6.1

CPE URI

Source package

Min version

Max version

node

>= 4.0

< 4.*

node

>= 5.0

< 5.*

node

>= 6.0

< 6.*

node

>= 7.0

< 7.*

node

>= 8.0

< 8.*

node

>= 9.0

< 9.*

node

>= 10.0

< 10.*

node

>= 11.0

< 11.*

node

>= 12.0

< 12.*

node

>= 13.0

< 13.*

node

>= 14.0

< 14.*

node

>= 15.0

< 15.*

node

>= 16.0

< 16.*

node

>= 17.0

< 17.*

node

>= 18.0

< 18.20.6

node

>= 19.0

< 19.*

node

>= 20.0

< 20.18.2

node

>= 21.0

< 21.*

node

>= 22.0

< 22.13.1

node

>= 23.0

< 23.6.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
nodejs	edge-main	22.13.1-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
nodejs	edge-main	22.11.0-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.11.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	edge-main	22.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.22-main	22.13.1-r0	None	fixed
nodejs	3.21-main	22.11.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.21-main	22.11.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.20-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
nodejs	3.19-main	20.15.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

nodejs

edge-main

22.13.1-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

nodejs

edge-main