CVE-2025-23084

Published: 1/28/2025 Last updated: 11/4/2025 Reserved: 1/10/2025

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

CNA assigner: hackerone (36234546-b8fa-4601-9d6f-f4e334aa8ea1) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.0	5.6	Medium	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Opam packages affected (1)

conf-npm

Products affected (2)

Product	Vendor	Version
Node	NodeJS	3.8.1S
Node	NodeJS	SC8380XP

References (6)

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
https://security.netapp.com/advisory/ntap-20250321-0003/
http://www.openwall.com/lists/oss-security/2025/07/22/2
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases
https://security.netapp.com/advisory/ntap-20250321-0003/
http://www.openwall.com/lists/oss-security/2025/07/22/2