CVE-2025-27210

Summary

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX.

This vulnerability affects Windows users of path.join API.

Affected Software

VendorProductVersion RangeStatus
nodejsnode20.0.0 < 20.19.4affected
nodejsnode22.0.0 < 22.17.1affected
nodejsnode24.0.0 < 24.4.1affected
nodejsnodejs4.0 < 4.*affected
nodejsnodejs5.0 < 5.*affected
nodejsnodejs6.0 < 6.*affected
nodejsnodejs7.0 < 7.*affected
nodejsnodejs8.0 < 8.*affected
nodejsnodejs9.0 < 9.*affected
nodejsnodejs10.0 < 10.*affected
nodejsnodejs11.0 < 11.*affected
nodejsnodejs12.0 < 12.*affected
nodejsnodejs13.0 < 13.*affected
nodejsnodejs14.0 < 14.*affected
nodejsnodejs15.0 < 15.*affected
nodejsnodejs16.0 < 16.*affected
nodejsnodejs17.0 < 17.*affected
nodejsnodejs18.0 < 18.*affected
nodejsnodejs19.0 < 19.*affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

CVE Program Container

Additional References

References