CVE-2025-23084 - NVD | ByteOS Network

NVD Vulnerability Details :

CVE-2025-23084

Analyzed

More Info Official Page

Source-support@hackerone.com

Published At-28 Jan, 2025 | 05:15

Updated At-19 Aug, 2025 | 18:45

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	5.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Secondary	3.0	5.6	MEDIUM	CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CPE Matches

Node.js (OpenJS Foundation)

>>node.js>>Versions from 18.0(inclusive) to 18.20.6(exclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Node.js (OpenJS Foundation)

>>node.js>>Versions from 20.0(inclusive) to 20.18.2(exclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Node.js (OpenJS Foundation)

>>node.js>>Versions from 22.0(inclusive) to 22.13.1(exclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Node.js (OpenJS Foundation)

>>node.js>>Versions from 23.0(inclusive) to 23.6.1(exclusive)

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

Microsoft Corporation

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-22	Secondary	134c704f-9b21-4f2e-91b3-4a467353bcc0

References

Hyperlink	Source	Resource
https://nodejs.org/en/blog/vulnerability/january-2025-security-releases	support@hackerone.com	Vendor Advisory