CVE-2025-23084

Updated: 2025-11-10 02:55:37.786364

Description:

A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x MEDIUM 5.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
Debian 11 nodejs 16 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:43
Debian 11 nodejs 20 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:27
Debian 11 nodejs 12 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:22
Debian 11 nodejs 14 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:21
Debian 12 nodejs 16 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:42 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Debian 12 nodejs 14 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:20 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Debian 12 nodejs 20 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:26 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Debian 12 nodejs 23 5.5 MEDIUM Not Vulnerable 2026-02-03 17:19:19 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Debian 12 nodejs 18 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:18 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Debian 12 nodejs 12 5.5 MEDIUM Not Vulnerable 2025-11-04 22:56:21 Not affected: CVE-2025-23084 is a Windows-specific path-handling flaw in Node.js’s path.join that ...
Total: 67