CVE-2025-23084

NameCVE-2025-23084
DescriptionA vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4fixed
bullseye (security)12.22.12~dfsg-1~deb11u6fixed
bookworm18.19.0+dfsg-6~deb12u2fixed
bookworm (security)18.19.0+dfsg-6~deb12u1fixed
sid, trixie20.19.0+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)(not affected)

Notes

- nodejs <not-affected> (Only affect Node.js on Windows)
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases#path-traversal-by-drive-name-in-windows-environment-cve-2025-23084---medium
Fixed by: https://github.com/nodejs/node/commit/0afc6f960017708df3870ff1d61249443873637b (v23.6.1)
Search for package or bug name: Reporting problems