CVE-2025-27210
Public on 2025-07-17
Modified on 2025-07-17
Description
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.
This vulnerability affects Windows users of path.join API.
Impact:
This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x
Thank you, to oblivionsage for reporting this vulnerability and thank you RafaelGSS for fixing it.
NOTE: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases#windows-device-names-con-prn-aux-bypass-path-traversal-protection-in-pathnormalize-cve-2025-27210---high
This vulnerability affects Windows users of path.join API.
Impact:
This vulnerability affects all users in active release lines: 20.x, 22.x, 24.x
Thank you, to oblivionsage for reporting this vulnerability and thank you RafaelGSS for fixing it.
NOTE: https://nodejs.org/en/blog/vulnerability/july-2025-security-releases#windows-device-names-con-prn-aux-bypass-path-traversal-protection-in-pathnormalize-cve-2025-27210---high
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2023 | nodejs | Not Affected | ||
| Amazon Linux 2023 | nodejs20 | Not Affected | ||
| Amazon Linux 2023 | nodejs22 | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |