Node.js path.join vulnerability: Windows device name DOS via CON/PRN/AUX: CVE-2025-27210 July 2025

Node.js path.join vulnerability: Windows device name DOS via CON/PRN/AUX
CVE-2025-27210 Published on July 18, 2025

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2025-27210 has been classified to as a Directory traversal vulnerability or weakness.

Products Associated with CVE-2025-27210

stack.watch emails you whenever new vulnerabilities are published in Oracle or nodejs. Just hit a watch button to start following.

Affected Versions

Version 20.0.0 and below 20.19.4 is affected.

Version 22.0.0 and below 22.17.1 is affected.

Version 24.0.0 and below 24.4.1 is affected.

Version 4.0 and below 4.* is affected.

Version 5.0 and below 5.* is affected.

Version 6.0 and below 6.* is affected.

Version 7.0 and below 7.* is affected.

Version 8.0 and below 8.* is affected.

Version 9.0 and below 9.* is affected.

Version 10.0 and below 10.* is affected.

Version 11.0 and below 11.* is affected.

Version 12.0 and below 12.* is affected.

Version 13.0 and below 13.* is affected.

Version 14.0 and below 14.* is affected.

Version 15.0 and below 15.* is affected.

Version 16.0 and below 16.* is affected.

Version 17.0 and below 17.* is affected.

Version 18.0 and below 18.* is affected.

Version 19.0 and below 19.* is affected.

Exploit Probability

EPSS

3.97%

Percentile

88.38%