CVE-2025-23084

Medium CVSS: 5.5

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.

On Windows, a path that does not start with the file separator is treated as relative to the current directory.

This vulnerability affects Windows users of `path.join` API.

Vendor

Nodejs

Product

Node.js

CWE

CWE-22

Yayın Tarihi

2025-01-28 05:15:11

Güncelleme

2025-11-04 22:16:07

Source Identifier

support@hackerone.com

KEV Date Added

Kategoriler

CWE-22 Node.js MEDIUM Nodejs 2025

Referanslar

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases http://www.openwall.com/lists/oss-security/2025/07/22/2 https://security.netapp.com/advisory/ntap-20250321-0003/

Benzer Kayıtlar

Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject…

High

CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's Byt…

High

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_m…

Medium

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulne…

High

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessa…

Medium

CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Co…