CVE-2025-23084 – This Node.js vulnerability on Windows incorrect... (How to Fix)

Q: What is the severity of CVE-2025-23084?

CVE-2025-23084 has a CVSS score of 5.5 (MEDIUM). This Node.js vulnerability on Windows incorrectly handles drive names in path.join(), treating relative paths as root directory references. This allows path traversal attacks where attackers could read, write, or delete files outside intended directories. Only Windows users of Node.js applications using path.join() are affected.

📋 TL;DR

This Node.js vulnerability on Windows incorrectly handles drive names in path.join(), treating relative paths as root directory references. This allows path traversal attacks where attackers could read, write, or delete files outside intended directories. Only Windows users of Node.js applications using path.join() are affected.

💻 Affected Systems

Products:

Node.js

Versions: All versions before 20.15.1, 22.7.1, and 23.4.1

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows systems; Linux/macOS unaffected. Requires use of path.join() API with user-controlled input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary file read/write/delete leading to sensitive data exposure, system compromise, or denial of service

🟠

Likely Case

Limited file system access allowing unauthorized reading of configuration files or writing to temporary directories

🟢

If Mitigated

Minimal impact if proper input validation and file system permissions restrict access to sensitive areas

🌐 Internet-Facing: MEDIUM - Web applications using path.join() with user input could be vulnerable to path traversal

🏢 Internal Only: LOW - Requires specific conditions and user input to exploit in internal applications

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input passed to path.join() and knowledge of Windows path structure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 20.15.1, 22.7.1, or 23.4.1

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Restart Required: Yes

Instructions:

1. Identify Node.js version with 'node --version'. 2. Update using Node Version Manager (nvm) or package manager. 3. For nvm: 'nvm install 20.15.1' (or 22.7.1/23.4.1). 4. Restart all Node.js applications and services.

🔧 Temporary Workarounds

Input validation for path.join()

all

Validate and sanitize all user input before passing to path.join()

// JavaScript example: validate input doesn't contain drive letters or '..'
if (userInput.match(/^[a-zA-Z]:/)) throw new Error('Invalid path');

Use path.resolve() instead

all

Replace path.join() with path.resolve() which handles drive names correctly

// Replace: path.join(baseDir, userInput)
// With: path.resolve(baseDir, userInput)

🧯 If You Can't Patch

Implement strict input validation for all path.join() calls
Apply principle of least privilege to file system permissions

🔍 How to Verify

Check if Vulnerable:

Check Node.js version and if application uses path.join() with user input on Windows

Check Version:

node --version

Verify Fix Applied:

After update, test path.join() with drive letter inputs to ensure proper relative path behavior

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns
Failed file operations with path traversal attempts

Network Indicators:

HTTP requests with suspicious path parameters

SIEM Query:

source="application_logs" AND ("path.join" OR "drive:") AND error

📊 Metadata

CVE ID: CVE-2025-23084

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.12% exploit probability (30.4th percentile)

Published: January 28, 2025

Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23084, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input validation for path.join()

Use path.resolve() instead

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities