Updated: 2025-11-10 02:55:37.786364
Description:
A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory. On Windows, a path that does not start with the file separator is treated as relative to the current directory. This vulnerability affects Windows users of `path.join` API.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | MEDIUM | 5.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 13 | nodejs | 18 | 5.5 | MEDIUM | Not Vulnerable | 2025-11-04 22:56:37 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 24 | 5.5 | MEDIUM | Already Fixed | 2026-02-17 18:19:48 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 12 | 5.5 | MEDIUM | Not Vulnerable | 2025-11-04 22:56:41 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 22 | 5.5 | MEDIUM | Already Fixed | 2026-02-17 18:19:49 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 14 | 5.5 | MEDIUM | Not Vulnerable | 2025-11-04 22:56:39 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 20 | 5.5 | MEDIUM | Not Vulnerable | 2025-11-04 22:56:39 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 23 | 5.5 | MEDIUM | Not Vulnerable | 2026-02-03 17:19:19 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| Debian 13 | nodejs | 16 | 5.5 | MEDIUM | Not Vulnerable | 2025-11-04 22:56:40 | Not affected—CVE-2025-23084 targets a Windows-only code path in Node.js where path.join mishandles... | |
| EL 10 | nodejs | 16 | 5.5 | MEDIUM | Not Vulnerable | 2026-02-10 15:16:47 | ||
| EL 10 | nodejs | 20 | 5.5 | MEDIUM | Not Vulnerable | 2026-02-05 14:08:35 |