BIT-node-2025-27210

BIT-node-2025-27210 PUBLISHED CVSS 7.5 HIGH

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API.

Risk Scores

CVSS 3.0

7.5

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Bitnami	node	4.0.0, 22.0.0, 24.0.0

Exploit Intelligence

2 web apps vulnerable to CVE-2025-27210 (github-poc)
(PoC) CVE-2025-27210, a precise Path Traversal vulnerability affecting Node.js applications running on Microsoft Windows. This vulnerability leverages the specific way Windows handles reserved device file names (github-poc)
safe-path.cjs (github-poc)

Timeline

Jul 22, 2025 CVE Published
Nov 6, 2025 CVE Updated

References

https://nodejs.org/en/blog/vulnerability/july-2025-security-releases url
https://nvd.nist.gov/vuln/detail/CVE-2025-27210 url
http://www.openwall.com/lists/oss-security/2025/07/22/2 url

Open in Interactive Console →