Node.js Vulnerabilities Expose Windows Apps to Path Traversal and HashDoS

The Node.js project has announced critical security updates across multiple release lines, addressing two high-severity vulnerabilities that pose significant risks to Windows users and applications running on the latest Node.js versions.

These vulnerabilities, identified as CVE-2025-27210 and CVE-2025-27209, affect millions of applications worldwide and require immediate attention from developers and system administrators.

The security releases cover Node.js versions 20.x, 22.x, and 24.x, with patches becoming available on July 15, 2025, highlighting the urgent nature of these security concerns.

The first vulnerability, CVE-2025-27210, represents a critical flaw in Node.js’s path normalization function that specifically targets Windows systems.

The vulnerability allows attackers to bypass existing path traversal protections implemented in the path.normalize() function, potentially enabling unauthorized access to sensitive system resources.

The impact of this vulnerability extends across all active Node.js release lines, including versions 20.x, 22.x, and 24.x, making it a widespread concern for Windows-based applications.

Developers who utilize the path.join API are particularly vulnerable to exploitation, as the flaw specifically targets the mechanism used to construct file paths safely.

The vulnerability was discovered by security researcher oblivionsage and subsequently patched by RafaelGSS, demonstrating the collaborative effort within the Node.js security community to address critical issues promptly.

Node.js Vulnerabilities

The second vulnerability, CVE-2025-27209, introduces a Hash Denial of Service (HashDoS) attack vector through changes in the V8 JavaScript engine’s string hashing implementation.

This vulnerability specifically affects Node.js version 24.x users and stems from the adoption of rapidhash for string hash computation in V8.

The implementation reintroduces a previously known vulnerability that allows attackers to generate hash collisions deliberately, even without knowledge of the hash seed used by the system.

What makes this vulnerability particularly concerning is the philosophical divide between the V8 team and the Node.js project regarding its classification.

While the V8 development team does not consider this a security vulnerability, the Node.js project has elevated it to high severity due to its potential real-world impact on applications that rely heavily on hash-based operations.

Attackers who can control the strings being hashed can exploit this vulnerability to cause performance degradation or denial of service conditions.

The vulnerability was identified by security researcher sharp_edged and resolved through the efforts of contributor targos.

Remediation Efforts

The Node.js security team has released a comprehensive response to address both vulnerabilities simultaneously across multiple release lines.

The patches are available through Node.js versions 20.19.4, 22.17.1, and 24.4.1, ensuring broad coverage across the ecosystem.

The project emphasizes that End-of-Life versions remain vulnerable when security releases occur, reinforcing the importance of maintaining current versions according to the official release schedule.

Organizations using Node.js in production environments should prioritize updating to the latest patched versions immediately.

The Node.js security policy provides detailed guidance for reporting vulnerabilities, while the nodejs-sec mailing list offers ongoing security updates for administrators and developers seeking to maintain secure deployments.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.