CVE-2025-23084

Updated: 2025-11-10 02:55:37.786364

Description:

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x MEDIUM 5.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Alpine Linux 3.22 nodejs 14 5.5 MEDIUM Not Vulnerable 2026-02-03 17:19:17 Not affected. CVE-2025-23084 is specific to Node.js on Windows, relying on Windows drive-letter sema...
Alpine Linux 3.22 nodejs 16 5.5 MEDIUM Not Vulnerable 2026-02-03 17:19:17 Not affected. CVE-2025-23084 is specific to Node.js on Windows, relying on Windows drive-letter sema...
Alpine Linux 3.22 nodejs 18 5.5 MEDIUM Not Vulnerable 2026-02-03 17:19:16 Not affected. CVE-2025-23084 is specific to Node.js on Windows, relying on Windows drive-letter sema...
Alpine Linux 3.22 nodejs 23 5.5 MEDIUM Not Vulnerable 2026-02-03 17:19:18 Not affected. CVE-2025-23084 is specific to Node.js on Windows, relying on Windows drive-letter sema...
Debian 10 nodejs 16 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:44
Debian 10 nodejs 20 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:28
Debian 10 nodejs 18 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:28
Debian 10 nodejs 14 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:22
Debian 10 nodejs 12 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:23
Debian 11 nodejs 18 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:27
Total: 67