Node.js Path Traversal on Windows: CVE-2025-27210 Exploited with Device Names (PoC Inside)

When a single overlooked edge case can open the door to arbitrary file access, the consequences for Windows-based Node.js applications are immediate and severe. CVE-2025-27210 is not just another path traversal bug—it is a demonstration of how platform-specific quirks, like Windows' reserved device names, can undermine even well-intentioned security patches. With a working proof-of-concept exploit in the wild, defenders must act fast to close this gap.

Introduction

Node.js is the backbone of countless web services, APIs, and enterprise applications. Maintained by the OpenJS Foundation, Node.js powers millions of deployments across industries. Its cross-platform nature and massive ecosystem make it a prime target for attackers—and a critical focus for defenders. In July 2025, a high-severity path traversal vulnerability (CVE-2025-27210) was disclosed, affecting all major supported Node.js branches on Windows. This flaw enables attackers to bypass directory protections by abusing legacy device names like CON, PRN, and AUX, exposing sensitive files to unauthorized access.

Technical Information

The root of CVE-2025-27210 lies in Node.js's handling of file paths on Windows. Windows reserves certain device names—such as CON, PRN, AUX, NUL, COM1-COM9, and LPT1-LPT9—which are interpreted by the operating system as special files rather than regular filenames. Node.js's path.join and path.normalize APIs are widely used to sanitize and resolve file paths, especially in scenarios like file uploads, downloads, and static file serving.

A previous vulnerability (CVE-2025-23084) attempted to address path traversal via these APIs, but the fix was incomplete. Specifically, it failed to account for Windows device names embedded in user-supplied paths. As a result, an attacker could craft a path such as ..\CON or AUX\..\..\etc\passwd and submit it to a vulnerable Node.js application. When processed by path.join or path.normalize, these paths could bypass intended directory restrictions, granting access to arbitrary files on the system.

The vulnerability is specific to Windows platforms due to the unique handling of device names. Any Node.js application that uses these path APIs with user-controlled input is at risk if it does not implement strict input validation. The impact is potentially severe: unauthorized file reads, exposure of sensitive configuration files, or even further exploitation if privileged files are accessed.

Proof of Concept

In the realm of cybersecurity, understanding the mechanics of vulnerabilities is crucial for both defense and offense. A recent proof-of-concept (PoC) exploit, identified as CVE-2025-27210, sheds light on a path traversal vulnerability specific to Node.js applications operating on Microsoft Windows systems.

Understanding the Vulnerability:

Path traversal vulnerabilities occur when an application improperly sanitizes user-supplied input, allowing attackers to access files and directories outside the intended scope. In this particular case, the vulnerability exploits how Windows handles reserved device file names—such as AUX, CON, and NUL—in conjunction with directory traversal sequences (../). When these sequences are processed by Node.js functions like path.join() or path.normalize(), they can lead to unauthorized file access.

The Proof-of-Concept Exploit:

The PoC exploit demonstrates how an attacker can leverage this vulnerability to access sensitive files on the system. By crafting a malicious request that includes specific traversal sequences and reserved device names, the attacker can bypass normal access controls. For instance, a command like:

python CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py -t http://localhost:3000/download -f C:\Windows\System32\drivers\etc\hosts

This command targets a vulnerable Node.js application running locally and attempts to retrieve the system's hosts file, which could contain critical network configuration information.

Implications:

Exploiting this vulnerability can lead to unauthorized access to sensitive files, potentially exposing confidential data or system configurations. Such access can serve as a foothold for further exploitation, including privilege escalation or lateral movement within a network.

Conclusion:

This PoC underscores the importance of rigorous input validation and proper handling of file paths in applications. Developers must be vigilant in sanitizing user inputs and understanding platform-specific quirks, such as Windows' handling of reserved device names, to prevent such vulnerabilities.

PoC Source: Sploitus

Patch Information

In response to the identified vulnerabilities, the Node.js team has released updates across the 24.x, 22.x, and 20.x release lines. These updates address the following issues:

1. Windows Device Names Bypass in path.normalize() (CVE-2025-27210):

The previous fix for CVE-2025-23084 was incomplete, allowing certain Windows device names (e.g., CON, PRN, AUX) to bypass path traversal protections. The latest patch enhances the path.join API to correctly handle these device names, ensuring they cannot be exploited to traverse directories.

2. HashDoS in V8 (CVE-2025-27209):

The V8 engine's string hashing mechanism was updated to use rapidhash, inadvertently reintroducing a HashDoS vulnerability. The patch reverts this change, reinstating the previous hashing method to prevent attackers from generating hash collisions.

Updated Versions:

Node.js v20.19.4
Node.js v22.17.1
Node.js v24.4.1

Users are strongly encouraged to upgrade to these versions to mitigate the vulnerabilities. Detailed information and download links are available in the official security release announcement.

Patch Source: Node.js Security Release

Affected Systems and Versions

CVE-2025-27210 affects the following Node.js versions on Windows:

Node.js 20.x prior to 20.19.4
Node.js 22.x prior to 22.17.1
Node.js 24.x prior to 24.4.1

All configurations of Node.js applications running on Windows that use path.join or path.normalize with user-supplied input are vulnerable. Linux and macOS platforms are not affected by this specific issue.

Vendor Security History

Node.js has a history of path traversal and input validation vulnerabilities, particularly in areas involving file path resolution and dependency management. The vendor's response to CVE-2025-27210 was swift: patches were released for all supported branches within days of disclosure. The previous incomplete fix (CVE-2025-23084) highlights the complexity of securing cross-platform APIs, especially when dealing with legacy platform behaviors like Windows device names. The OpenJS Foundation maintains a mature security disclosure process and has demonstrated transparency and responsiveness in addressing critical issues.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]