CVE-2025-23084
MEDIUM5.5EPSS 1.3%Published: 1/28/2025Modified: 12/3/2025
Description
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
Affected packages (3)
- Alpine/nodejsfrom 0, < 22.13.1-r0
- Bitnami/nodefrom 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
- Bitnami/node-minfrom 0, < 18.20.6, >= 19.0.0, < 20.18.2, >= 21.0.0, < 22.13.1, >= 23.0.0, < 23.8.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References (5)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-23084
- WEBhttps://nodejs.org/en/blog/vulnerability/january-2025-security-releases
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-23084
- WEBhttps://security.netapp.com/advisory/ntap-20250321-0003/
- WEBhttp://www.openwall.com/lists/oss-security/2025/07/22/2