CVE-2025-27210

Description

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

Reserved 2025-02-20 | Published 2025-07-18 | Updated 2025-07-18 | Assigner hackerone

Product status

Default status
unaffected

20.0.0 before 20.19.4
affected

22.0.0 before 22.17.1
affected

24.0.0 before 24.4.1
affected

Default status
unaffected

4.0 before 4.*
affected

5.0 before 5.*
affected

6.0 before 6.*
affected

7.0 before 7.*
affected

8.0 before 8.*
affected

9.0 before 9.*
affected

10.0 before 10.*
affected

11.0 before 11.*
affected

12.0 before 12.*
affected

13.0 before 13.*
affected

14.0 before 14.*
affected

15.0 before 15.*
affected

16.0 before 16.*
affected

17.0 before 17.*
affected

18.0 before 18.*
affected

19.0 before 19.*
affected

References

nodejs.org/en/blog/vulnerability/july-2025-security-releases

cve.org (CVE-2025-27210)

nvd.nist.gov (CVE-2025-27210)

Download JSON