CVE-2025-27210: 
Node.js vulnerability analysis and mitigation

An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API and was discovered in July 2025. The vulnerability impacts Node.js versions 20.x, 22.x, and 24.x release lines (Node Blog, Security Online).

The vulnerability lies in how the path.normalize() and path.join() APIs handle device names in Windows environments. The issue received a CVSS v3.0 base score of 7.5 (High), with the vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal) (NVD).

Attackers can exploit this behavior to manipulate filesystem paths and potentially access unauthorized files or directories on Windows-based Node.js applications. The vulnerability affects millions of backend and full-stack applications globally that rely on Node.js (Security Online).

The OpenJS Foundation has released patched versions to address this vulnerability: Node.js v20.19.4, Node.js v22.17.1, and Node.js v24.4.1. Users are strongly advised to upgrade to these versions to mitigate the security risk (Node Blog).