A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
The severity of this vulnerability is classified as medium with a CVSS score of 5.5, indicating a moderate level of risk.
Risk to organizations includes potential unauthorized access to sensitive data, as the vulnerability allows misleading path resolutions. Organizations should prioritize patching immediately.
Currently, there are no known exploits or public proof of concept for this vulnerability, but the implications for Windows users can be significant.
Organizations should address this vulnerability in their priority patch cycle to mitigate risks.
Vulnerability Details
The vulnerability is classified under CWE-22, which pertains to improper limitation of a pathname to a restricted directory ('Path Traversal'). The official CVE description indicates it affects versions of Node.js from 18.0 to 18.20.6, 20.0 to 20.18.2, 22.0 to 22.13.1, and 23.0 to 23.6.1.
The vulnerability was published on January 28, 2025, with a last modified date of November 4, 2025.
Technical Analysis
The root cause of this vulnerability arises from the way Node.js handles drive names in the Windows environment. Specifically, certain functions that are expected to treat drive names as special instances do not do so, leading to incorrect path evaluations.
The attack vector for this vulnerability is local, meaning that an attacker would need local access to the system to exploit it. The attack complexity is low, as it does not require advanced skills or resources. Privileges required are also low, allowing users with minimal access to potentially exploit the flaw.
User interaction is not required for exploitation, and the confidentiality impact is high as sensitive information could be exposed through incorrect path resolutions. However, integrity and availability impacts are noted as none.
Risk & Impact Analysis
The risk to organizations includes potential unauthorized access to sensitive data, leading to data breaches or exploitation of additional vulnerabilities. The blast radius can extend to any application relying on Node.js within a Windows environment. Given the medium severity, organizations should prioritize patching immediately to minimize exposure.
The CVSS score indicates a moderate risk profile, necessitating a timely response from security teams. Monitoring the vulnerability landscape for any emerging exploits is also recommended.
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The vulnerability affects the following Node.js versions: 18.0 to 18.20.6, 20.0 to 20.18.2, 22.0 to 22.13.1, and 23.0 to 23.6.1. All users of these versions should upgrade to the latest patched versions.
Mitigation & Remediation
To mitigate this vulnerability, organizations should upgrade Node.js to versions beyond the affected ranges. The latest stable releases should be applied as soon as possible to ensure protection against this vulnerability.
For those unable to upgrade immediately, implementing strict input validation on any paths processed through the `path.join` API may help reduce exposure.
Organizations should also consider implementing configuration hardening and network controls to further secure their environments.
For ongoing security, organizations may benefit from periodic reviews and audits of their systems, including penetration testing to identify similar weaknesses.
Detection Guidance
To detect potential exploitation of this vulnerability, organizations should monitor system logs for any anomalous path access patterns. Specific focus should be on paths processed through the `path.join` API.
Behavioral anomalies, such as unexpected access to root directories, should also be flagged for further investigation.
AppSecure Threat Intelligence Insight
The long-term significance of this vulnerability highlights the importance of secure path handling in programming environments. Security teams should be aware that even minor oversight in path management can lead to severe vulnerabilities.
The pattern of vulnerabilities related to file path handling continues to be a common trend, indicating a need for thorough testing and validation in software development practices.
Organizations should implement strategic defensive measures, including adopting secure coding practices and conducting regular security assessments, to safeguard against similar vulnerabilities.
For further information on application security practices, consider reviewing our application security assessment and penetration testing methodology resources.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)