Unrated severityNVD Advisory· Published Jan 28, 2025· Updated Nov 4, 2025
CVE-2025-23084
CVE-2025-23084
Description
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.
On Windows, a path that does not start with the file separator is treated as relative to the current directory.
This vulnerability affects Windows users of path.join API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
20- osv-coords18 versionspkg:apk/chainguard/nodejs-16pkg:apk/chainguard/nodejs-16-docpkg:apk/chainguard/nodejs-21pkg:apk/chainguard/nodejs-21-docpkg:apk/wolfi/nodejs-16pkg:apk/wolfi/nodejs-16-docpkg:apk/wolfi/nodejs-21pkg:apk/wolfi/nodejs-21-docpkg:bitnami/nodepkg:bitnami/node-minpkg:deb/ubuntu/nodejs@0.10.25~dfsg2-2ubuntu1.2+esm2?arch=source&distro=esm-infra-legacy/trustypkg:deb/ubuntu/nodejs@10.19.0~dfsg-3ubuntu1.6?arch=source&distro=focalpkg:deb/ubuntu/nodejs@12.22.9~dfsg-1ubuntu3.6?arch=source&distro=jammypkg:deb/ubuntu/nodejs@18.19.1+dfsg-6ubuntu5?arch=source&distro=noblepkg:deb/ubuntu/nodejs@20.16.0+dfsg-1ubuntu1?arch=source&distro=oracularpkg:deb/ubuntu/nodejs@20.18.1+dfsg-1ubuntu2?arch=source&distro=pluckypkg:deb/ubuntu/nodejs@4.2.6~dfsg-1ubuntu4.2+esm3?arch=source&distro=esm-apps/xenialpkg:deb/ubuntu/nodejs@8.10.0~dfsg-2ubuntu0.4+esm6?arch=source&distro=esm-apps/bionic
< 16.20.2-r16+ 17 more
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 16.20.2-r16
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 21.7.3-r13
- (no CPE)range: < 18.20.6
- (no CPE)range: < 18.20.6
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.