CVE-2025-23084
MEDIUMNodejs Node.js < 18.20.6 - Path Traversal
Title source: ruleDescription
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
Exploits (1)
github
WORKING POC
6 stars
by AikidoSec · javascriptpoc
https://github.com/AikidoSec/zen-0-days/tree/main/node/CVE-2025-23084
Scores
CVSS v3
5.5
EPSS
0.0129
EPSS Percentile
79.4%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Classification
CWE
CWE-22
Status
published
Affected Products (1)
nodejs/node.js
< 18.20.6
Timeline
Published
Jan 28, 2025
Tracked Since
Feb 18, 2026