CVE-2025-23084 MEDIUM

CVE-2025-23084

Vendor Nodejs
Product Node
Published January 28, 2025
Last update November 4, 2025

CVSS base score

5.6/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

Key dates

02Disclosure timeline

January 28, 2025 CVE published
November 4, 2025 Record updated