CVE-2025-23084: 
npm vulnerability analysis and mitigation

A medium-severity vulnerability (CVE-2025-23084) has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. The vulnerability was discovered in January 2025 and affects Windows users of the path.join API across Node.js versions 18.x, 20.x, 22.x, and 23.x. The issue was reported by taise and fixed by tniessen (NodeJS Blog).

The vulnerability stems from Node.js functions not properly treating drive names as special on Windows. When a path doesn't start with a file separator, it's treated as relative to the current directory. However, due to this vulnerability, although Node.js assumes a relative path, it actually refers to the root directory. The vulnerability has been assigned a CVSS 3.0 Base Score of 5.6 (Medium) with the vector string CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

This vulnerability affects all users in active Node.js release lines: 18.x, 20.x, 22.x, and 23.x running on Windows environments. The path traversal vulnerability could potentially allow attackers to access files outside of the intended directory (Security Online).

The Node.js project has released security updates to address this vulnerability. Users are advised to update to the following patched versions: Node.js v18.20.6, Node.js v20.18.2, Node.js v22.13.1, or Node.js v23.6.1 (NodeJS Blog).