{"id":"ALPINE-CVE-2025-23084","details":"A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.\r\n\r\nOn Windows, a path that does not start with the file separator is treated as relative to the current directory. \r\n\r\nThis vulnerability affects Windows users of `path.join` API.","modified":"2026-03-09T01:23:56.231752Z","published":"2025-01-28T05:15:11.267Z","upstream":["CVE-2025-23084"],"references":[{"type":"ADVISORY","url":"https://security.alpinelinux.org/vuln/CVE-2025-23084"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Alpine:v3.22","purl":"pkg:apk/alpine/nodejs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.13.1-r0"}]}],"versions":["22.11.0-r0","22.11.0-r1","22.11.0-r2"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2025-23084.json"}},{"package":{"name":"nodejs","ecosystem":"Alpine:v3.23","purl":"pkg:apk/alpine/nodejs?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"22.13.1-r0"}]}],"versions":["22.11.0-r0","22.11.0-r1","22.11.0-r2"],"ecosystem_specific":{},"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2025-23084.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}