Home
HIGH: 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NDefault status
unaffected
20.0.0 (semver) before 20.19.4
affected
22.0.0 (semver) before 22.17.1
affected
24.0.0 (semver) before 24.4.1
affected
Default status
unaffected
4.0 (semver) before 4.*
affected
5.0 (semver) before 5.*
affected
6.0 (semver) before 6.*
affected
7.0 (semver) before 7.*
affected
8.0 (semver) before 8.*
affected
9.0 (semver) before 9.*
affected
10.0 (semver) before 10.*
affected
11.0 (semver) before 11.*
affected
12.0 (semver) before 12.*
affected
13.0 (semver) before 13.*
affected
14.0 (semver) before 14.*
affected
15.0 (semver) before 15.*
affected
16.0 (semver) before 16.*
affected
17.0 (semver) before 17.*
affected
18.0 (semver) before 18.*
affected
19.0 (semver) before 19.*
affected
Description
An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.
Product status
20.0.0 (semver) before 20.19.4
22.0.0 (semver) before 22.17.1
24.0.0 (semver) before 24.4.1
4.0 (semver) before 4.*
5.0 (semver) before 5.*
6.0 (semver) before 6.*
7.0 (semver) before 7.*
8.0 (semver) before 8.*
9.0 (semver) before 9.*
10.0 (semver) before 10.*
11.0 (semver) before 11.*
12.0 (semver) before 12.*
13.0 (semver) before 13.*
14.0 (semver) before 14.*
15.0 (semver) before 15.*
16.0 (semver) before 16.*
17.0 (semver) before 17.*
18.0 (semver) before 18.*
19.0 (semver) before 19.*
References
www.openwall.com/lists/oss-security/2025/07/22/2
nodejs.org/en/blog/vulnerability/july-2025-security-releases