node.js: node.js drive name handler (CVE-2025-23084) #shorts

Summary

In this episode, we're diving into CVE-2025-23084, a recently identified vulnerability in Node.js that affects Windows users by mishandling drive names, potentially leading to directory traversal exploits. Stay tuned as we discuss the details and what this means for Node.js users.

Product details

The products affected by this vulnerability include Node.js versions 18.20.5, 20.18.1, 22.13.0, and 23.6.0 on Windows platforms. Node.js is a widely used JavaScript runtime that executes JavaScript code server-side. If you're using these specific versions, you'll need to pay special attention to this issue.

Vulnerability type summary

CVE-2025-23084 is a directory traversal vulnerability that arises from the improper handling of drive names in Windows environments by the Node.js `path.join` API. This means that certain paths are incorrectly treated as relative paths, which can lead to unauthorized access to the file system's root directory.

Details of the vulnerability

The vulnerability is specifically tied to how Node.js treats paths that do not start with the file separator in Windows. These paths are incorrectly handled as if they are relative, potentially giving attackers a way to manipulate drive name handling to achieve directory traversal. This could allow unauthorized access to sensitive directories and files, posing a security risk.

Conclusion

If you are using Node.js on a Windows system with one of the affected versions, it is strongly recommended to update your Node.js installation to the latest secured versions available, such as 18.20.6. Fedora 40 and 41 have already released security patches addressing this vulnerability. Always stay updated with the latest security advisories to protect your systems from such vulnerabilities.

Watch the full video on YouTube: CVE-2025-23084

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-23084
Description
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
Provider
hackerone
CWE / problem types
Affected Software Versions
NodeJS:Node:[{'versionType': 'semver', 'version': '4.0', 'status': 'affected', 'lessThan': '4.*'}, {'versionType': 'semver', 'version': '5.0', 'status': 'affected', 'lessThan': '5.*'}, {'versionType': 'semver', 'version': '6.0', 'status': 'affected', 'lessThan': '6.*'}, {'versionType': 'semver', 'version': '7.0', 'status': 'affected', 'lessThan': '7.*'}, {'versionType': 'semver', 'version': '8.0', 'status': 'affected', 'lessThan': '8.*'}, {'versionType': 'semver', 'version': '9.0', 'status': 'affected', 'lessThan': '9.*'}, {'versionType': 'semver', 'version': '10.0', 'status': 'affected', 'lessThan': '10.*'}, {'versionType': 'semver', 'version': '11.0', 'status': 'affected', 'lessThan': '11.*'}, {'versionType': 'semver', 'version': '12.0', 'status': 'affected', 'lessThan': '12.*'}, {'versionType': 'semver', 'version': '13.0', 'status': 'affected', 'lessThan': '13.*'}, {'versionType': 'semver', 'version': '14.0', 'status': 'affected', 'lessThan': '14.*'}, {'versionType': 'semver', 'version': '15.0', 'status': 'affected', 'lessThan': '15.*'}, {'versionType': 'semver', 'version': '16.0', 'status': 'affected', 'lessThan': '16.*'}, {'versionType': 'semver', 'version': '17.0', 'status': 'affected', 'lessThan': '17.*'}, {'versionType': 'semver', 'version': '18.0', 'status': 'affected', 'lessThan': '18.20.6'}, {'versionType': 'semver', 'version': '19.0', 'status': 'affected', 'lessThan': '19.*'}, {'versionType': 'semver', 'version': '20.0', 'status': 'affected', 'lessThan': '20.18.2'}, {'versionType': 'semver', 'version': '21.0', 'status': 'affected', 'lessThan': '21.*'}, {'versionType': 'semver', 'version': '22.0', 'status': 'affected', 'lessThan': '22.13.1'}, {'versionType': 'semver', 'version': '23.0', 'status': 'affected', 'lessThan': '23.6.1'}]
Date Published
2025-01-28T04:35:15.236Z
Last Updated
2025-04-30T22:25:23.315Z