CVE-2025-27210
📋 TL;DR
This vulnerability is an incomplete fix for CVE-2025-23084 in Node.js that allows path traversal attacks when using Windows device names like CON, PRN, and AUX in the path.join API. It affects Windows users of Node.js applications that process user-controlled file paths. Attackers could potentially bypass security controls to access or manipulate files.
💻 Affected Systems
- Node.js
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file read/write leading to sensitive data exposure, file deletion, or remote code execution if combined with other vulnerabilities.
Likely Case
Path traversal allowing unauthorized file access or manipulation of application files.
If Mitigated
Limited impact if proper input validation and file system permissions are implemented.
🎯 Exploit Status
Exploitation requires user-controlled input to path.join API on Windows. No public exploit code identified yet.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Node.js versions from July 2025 security releases
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. Update to latest patched version using Node.js installer or package manager. 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
Input validation for file paths
windowsImplement strict validation to reject Windows device names in user-controlled path inputs
Use path.resolve instead of path.join
allReplace vulnerable path.join calls with path.resolve where appropriate
🧯 If You Can't Patch
- Implement strict input validation to reject Windows device names (CON, PRN, AUX, etc.) in all file path inputs
- Run Node.js applications with minimal file system permissions and in sandboxed environments
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is older than July 2025 security releases and application uses path.join with user input on WindowsCheck Version:
node --versionVerify Fix Applied:
Verify Node.js version is from July 2025 or later security releases and test path.join with Windows device names returns expected errors📡 Detection & Monitoring
Log Indicators:
- Failed file operations with Windows device names
- Unexpected path traversal attempts
Network Indicators:
- Unusual file access patterns from web applications
SIEM Query:
Search for file access errors containing CON, PRN, AUX, or other Windows device names in application logs