CVE-2025-23084 Overview
CVE-2025-23084 is a path traversal vulnerability in Node.js affecting Windows environments. Certain Node.js functions, including the path.join API, do not treat drive names as special on Windows. Node.js assumes the input is a relative path, but Windows resolves it against the root of the specified drive. This mismatch allows an attacker with local access to manipulate file path resolution and access resources outside the intended directory.
The issue is tracked under [CWE-22] (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
Applications using path.join on Windows can be tricked into reading files outside the expected directory, enabling confidentiality breaches in multi-tenant or sandboxed Node.js services.
Affected Products
- Node.js (multiple release lines — see vendor advisory)
- Microsoft Windows (all supported versions running affected Node.js)
- Applications relying on path.join for path sanitization on Windows
Discovery Timeline
- 2025-01-28 - CVE-2025-23084 published to NVD
- January 2025 - Node.js publishes January 2025 Security Releases
- 2025-03-21 - NetApp publishes NTAP-20250321-0003 Security Advisory
- 2025-07-22 - Disclosure post on Openwall OSS-Security List
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2025-23084
Vulnerability Analysis
The vulnerability stems from how Node.js parses Windows-style paths that contain drive letters without a separator. On Windows, a path such as C:foo is not absolute. The operating system interprets it as relative to the current working directory of drive C:, while a path beginning with C:\ is absolute and rooted at the drive.
Node.js path-handling routines on Windows treat the leading drive component as ordinary path text rather than a special construct. When an application calls path.join('safe_base', userInput) and userInput contains a drive specifier like C:evil, the resulting string can resolve to a location outside safe_base once passed to a file system API.
The impact is limited to confidentiality (C:H in the CVSS vector) because file system reads are the primary observed consequence. Exploitation requires local access and low privileges, and no user interaction is required.
Root Cause
The root cause is incomplete Windows-specific input validation inside Node.js path utilities. The library does not normalize drive-relative paths the way Windows itself does. As a result, the abstraction provided by path.join does not match the file system semantics it ultimately interacts with, breaking developer assumptions about containment.
Attack Vector
An attacker who can supply input to a Node.js application running on Windows can craft a payload using drive-relative notation (for example, C:Users\victim\file.txt). When the application joins this string with a trusted base path and then opens it, the file system resolves the request against the drive root rather than the intended directory, leading to information disclosure outside the sandbox.
No verified public proof-of-concept code is available. Refer to the Node.js Security Releases Blog for vendor-provided technical details.
Detection Methods for CVE-2025-23084
Indicators of Compromise
- Node.js process accessing files outside expected application directories on Windows hosts
- Application logs showing user-supplied input containing drive letters such as C:, D:, or other volume identifiers concatenated with file names
- File open events targeting sensitive paths like C:\Users\, C:\Windows\, or configuration directories from a Node.js worker process
Detection Strategies
- Inventory Node.js installations on Windows servers and developer workstations and compare versions against the fixed releases listed in the vendor advisory
- Audit application source code for use of path.join, path.resolve, and fs APIs where untrusted input is concatenated with trusted base directories
- Add runtime checks that reject any path segment matching the Windows drive pattern (^[A-Za-z]:) before passing input to file system functions
Monitoring Recommendations
- Enable file integrity and access monitoring on Windows hosts running Node.js services, with alerts on reads from outside designated application directories
- Forward Node.js application logs and Windows Security event logs to a centralized analytics platform for correlation of suspicious path inputs
- Track process command lines and child process activity from node.exe to identify anomalous file access patterns
How to Mitigate CVE-2025-23084
Immediate Actions Required
- Upgrade Node.js to a patched release as documented in the January 2025 Security Releases
- Identify all Windows hosts running Node.js, including embedded runtimes shipped with desktop and server applications
- Review application code paths that accept user-supplied file names or paths and add explicit validation against Windows drive-relative notation
Patch Information
The Node.js project addressed the issue in the January 2025 security release cycle. Affected release lines and exact fixed versions are listed in the Node.js Security Releases Blog. NetApp products bundling Node.js are tracked in NTAP-20250321-0003.
Workarounds
- Validate user-supplied path segments with a strict allowlist before passing them to path.join, rejecting any value containing : on Windows
- Resolve the final path with path.resolve and verify it begins with the intended base directory before performing file operations
- Run Node.js services under least-privilege Windows accounts to limit the scope of files an attacker can read through path traversal
# Example: verify the resolved path stays within the intended base directory
const path = require('path');
const base = path.resolve('C:\\app\\data');
const target = path.resolve(base, userInput);
if (!target.startsWith(base + path.sep)) {
throw new Error('Path traversal attempt detected');
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
