CVE-2025-23084 Information

Description

A vulnerability has been identified in Node.js specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not treat drive names as special on Windows. As a result although Node.js assumes a relative path it actually refers to the root directory.

On Windows a path that does not start with the file separator is treated as relative to the current directory.

This vulnerability affects Windows users of path.join API.

Reference

https://nodejs.org/en/blog/vulnerability/january-2025-security-releases