{"id":"CVE-2025-23084","details":"A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result, although Node.js assumes a relative path, it actually refers to the root directory.\r\n\r\nOn Windows, a path that does not start with the file separator is treated as relative to the current directory. \r\n\r\nThis vulnerability affects Windows users of `path.join` API.","aliases":["BIT-node-2025-23084","BIT-node-min-2025-23084"],"modified":"2026-03-20T04:23:01.530390Z","published":"2025-01-28T05:15:11.267Z","related":["CGA-rhvv-3wv7-prfh"],"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2025/07/22/2"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20250321-0003/"},{"type":"ADVISORY","url":"https://nodejs.org/en/blog/vulnerability/january-2025-security-releases"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nodejs/node","events":[{"introduced":"49a77a5a996a49e8cb728eed42e55a7c1a9eef6e"},{"fixed":"60224762462585b64a17ee007d7f657e1b66758c"},{"introduced":"e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0"},{"fixed":"53a57efd83a18efe7a84bf1b460acc789139939b"},{"introduced":"12fb157f79da8c094a54bc99370994941c28c235"},{"fixed":"e6c7018aa5db77c2cb720c5662eab12ff3320bf4"},{"introduced":"80c899860da26b56971969e84bb6c902f00317ff"},{"fixed":"25a01ea40d60a3cec56263fef109d00d638208c0"}],"database_specific":{"versions":[{"introduced":"18.0"},{"fixed":"18.20.6"},{"introduced":"20.0"},{"fixed":"20.18.2"},{"introduced":"22.0"},{"fixed":"22.13.1"},{"introduced":"23.0"},{"fixed":"23.6.1"}]}}],"versions":["v18.0.0","v18.1.0","v18.10.0","v18.11.0","v18.12.0","v18.12.1","v18.13.0","v18.14.0","v18.14.1","v18.14.2","v18.15.0","v18.16.0","v18.16.1","v18.17.0","v18.17.1","v18.18.0","v18.18.1","v18.18.2","v18.19.0","v18.19.1","v18.2.0","v18.20.0","v18.20.1","v18.20.2","v18.20.3","v18.20.4","v18.20.5","v18.3.0","v18.4.0","v18.5.0","v18.6.0","v18.7.0","v18.8.0","v18.9.0","v18.9.1","v20.0.0","v20.1.0","v20.10.0","v20.11.0","v20.11.1","v20.12.0","v20.12.1","v20.12.2","v20.13.0","v20.13.1","v20.14.0","v20.15.0","v20.15.1","v20.16.0","v20.17.0","v20.18.0","v20.18.1","v20.2.0","v20.3.0","v20.3.1","v20.4.0","v20.5.0","v20.5.1","v20.6.0","v20.6.1","v20.7.0","v20.8.0","v20.8.1","v20.9.0","v22.0.0","v22.1.0","v22.10.0","v22.11.0","v22.12.0","v22.13.0","v22.2.0","v22.3.0","v22.4.0","v22.4.1","v22.5.0","v22.5.1","v22.6.0","v22.7.0","v22.8.0","v22.9.0","v23.0.0","v23.1.0","v23.2.0","v23.3.0","v23.4.0","v23.5.0","v23.6.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23084.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}]}