CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-23084: A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js...

5.6 CVSS

Description

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.

On Windows, a path that does not start with the file separator is treated as relative to the current directory.

This vulnerability affects Windows users of `path.join` API.

Classification

CVE ID: CVE-2025-23084

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.6

Affected Products

Vendor: nodejs

Product: node

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.97% (scored less or equal to compared to others)

EPSS Date: 2025-02-27 (when was this score calculated)

References

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases

Timeline

2025-01-29 10:30:11 UTC
CVE

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js...
2025-02-01 08:30:30 UTC
Tenable Plugins

Fedora 41 : nodejs18 (2025-e330d34ecc)