CVE-2025-27210

HIGH

Node.js - Path Traversal

Title source: llm

Description

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

Exploits (3)

exploitdb WORKING POC

by Abdualhadi khalifa · pythonremotenodejs

https://www.exploit-db.com/exploits/52369

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by absholi7ly · poc

https://github.com/absholi7ly/CVE-2025-27210_NodeJS_Path_Traversal_Exploit

View Code ZIP pw:eip

nomisec WORKING POC

by mindeddu · poc

https://github.com/mindeddu/Vulnerable-CVE-2025-27210

View Code ZIP pw:eip

References (2)

[Various Sources] https://nodejs.org/en/blog/vulnerability/july-2025-security-releases

[Mailing List] http://www.openwall.com/lists/oss-security/2025/07/22/2

Scores

CVSS v3 7.5

EPSS 0.0397

EPSS Percentile 88.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-22

Status published

Products (19)

nodejs/node 20.0.0 - 20.19.4

nodejs/node 22.0.0 - 22.17.1

nodejs/node 24.0.0 - 24.4.1

nodejs/nodejs 10.0 - 10.*

nodejs/nodejs 11.0 - 11.*

nodejs/nodejs 12.0 - 12.*

nodejs/nodejs 13.0 - 13.*

nodejs/nodejs 14.0 - 14.*

nodejs/nodejs 15.0 - 15.*

nodejs/nodejs 16.0 - 16.*

... and 9 more

Published Jul 18, 2025

Tracked Since Feb 18, 2026