CVE-2025-27210

HIGH

Node.js 20.0.0-20.19.3, 22.0.0-22.17.0, 24.0.0-24.4.0 - Path Traversal via Windows Device Names in path.join

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-27210. PoCs published by Abdualhadi khalifa, absholi7ly, mindeddu.

AI-analyzed exploit summary This exploit demonstrates a path traversal vulnerability in Node.js 24.x on Windows by leveraging reserved device names (e.g., AUX) to bypass path normalization. It attempts to read arbitrary files by crafting a malicious path with traverse sequences and sending it via HTTP GET or POST requests.

Description

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

Exploits (3)

exploitdb WORKING POC
by Abdualhadi khalifa · pythonremotenodejs
https://www.exploit-db.com/exploits/52369

This exploit demonstrates a path traversal vulnerability in Node.js 24.x on Windows by leveraging reserved device names (e.g., AUX) to bypass path normalization. It attempts to read arbitrary files by crafting a malicious path with traverse sequences and sending it via HTTP GET or POST requests.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Node.js 24.x
No auth needed
Prerequisites: Vulnerable Node.js application running on Windows · Accessible endpoint that processes file paths
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by absholi7ly · poc
https://github.com/absholi7ly/CVE-2025-27210_NodeJS_Path_Traversal_Exploit

This PoC exploits a path traversal vulnerability in Node.js on Windows (CVE-2025-27210) by leveraging reserved device file names (e.g., AUX) combined with directory traversal sequences. It sends crafted HTTP requests to retrieve arbitrary files from the target system.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Node.js applications on Windows (specific version not specified)
No auth needed
Prerequisites: Vulnerable Node.js application running on Windows · Network access to the target endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by mindeddu · poc
https://github.com/mindeddu/Vulnerable-CVE-2025-27210

This repository contains a Python-based PoC for CVE-2025-27210, a path traversal vulnerability in Node.js on Windows. The exploit leverages reserved device names (e.g., AUX, CON) to bypass path normalization and access arbitrary files.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Node.js (Windows)
No auth needed
Prerequisites: Vulnerable Node.js application running on Windows · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.1243
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (19)
nodejs/node 20.0.0 - 20.19.4
nodejs/node 22.0.0 - 22.17.1
nodejs/node 24.0.0 - 24.4.1
nodejs/nodejs 10.0 - 10.*
nodejs/nodejs 11.0 - 11.*
nodejs/nodejs 12.0 - 12.*
nodejs/nodejs 13.0 - 13.*
nodejs/nodejs 14.0 - 14.*
nodejs/nodejs 15.0 - 15.*
nodejs/nodejs 16.0 - 16.*
... and 9 more
Published Jul 18, 2025
Tracked Since Feb 18, 2026