5.6

CVE-2025-23084

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.

On Windows, a path that does not start with the file separator is treated as relative to the current directory. 

This vulnerability affects Windows users of `path.join` API.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsNode.Js SwEdition- Version >= 18.0 < 18.20.6
   MicrosoftWindows Version-
NodejsNode.Js SwEdition- Version >= 20.0 < 20.18.2
   MicrosoftWindows Version-
NodejsNode.Js SwEdition- Version >= 22.0 < 22.13.1
   MicrosoftWindows Version-
NodejsNode.Js SwEdition- Version >= 23.0 < 23.6.1
   MicrosoftWindows Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.12% 0.309
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
support@hackerone.com 5.6 1.3 4.2
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.