The Node.js project has released critical security updates across multiple release lines to address two high-severity vulnerabilities that pose significant risks to Windows applications and could enable denial-of-service attacks.
The vulnerabilities, identified as CVE-2025-27210 and CVE-2025-27209, affect active Node.js release lines including versions 20.x, 22.x, and 24.x, prompting immediate security patches released on July 15, 2025.
Critical Windows Path Traversal Vulnerability
Security researchers have identified that attackers can exploit Windows device names to bypass path traversal protection mechanisms, potentially allowing unauthorized access to system resources or sensitive file locations.
| CVE ID | Title | Severity | Affected Versions | Platform | Reporter |
| CVE-2025-27210 | Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize() | High | 20.x, 22.x, 24.x | Windows | oblivionsage |
| CVE-2025-27209 | HashDoS in V8 | High | 24.x | All | sharp_edged |
The vulnerability affects all users across active release lines, making it a widespread concern for Windows-based Node.js applications.
The issue was discovered by security researcher oblivionsage and subsequently addressed by RafaelGSS, highlighting the collaborative nature of Node.js security maintenance.
This vulnerability demonstrates how incomplete security fixes can create persistent attack vectors, emphasizing the importance of thorough security testing and validation.
The second vulnerability, CVE-2025-27209, introduces a HashDoS (Hash Denial-of-Service) vulnerability through changes in the V8 JavaScript engine’s string hashing implementation.
The V8 release used in Node.js v24.0.0 modified string hash computation to use rapidhash, inadvertently reintroducing a hash collision vulnerability.
This implementation flaw allows attackers who can control input strings to generate numerous hash collisions without requiring knowledge of the hash seed.
Such attacks can lead to performance degradation and potential denial-of-service conditions in applications processing user-controlled string data.
Notably, while the V8 development team does not classify this as a security vulnerability, the Node.js project has taken a more conservative approach, recognizing its potential impact in real-world deployment scenarios.
The vulnerability specifically affects Node.js v24.x users and was reported by sharp_edged, with fixes implemented by targos.
The Node.js project has released updated versions addressing these vulnerabilities: Node.js v20.19.4, v22.17.1, and v24.4.1.
Organizations running Node.js applications, particularly those on Windows systems or using v24.x releases, should prioritize immediate updates to mitigate these security risks.
The Node.js security team emphasizes that End-of-Life versions remain vulnerable during security releases, reinforcing the importance of maintaining current versions according to the official release schedule.
Users can stay informed about future security updates through the nodejs-sec mailing list and should follow the established vulnerability reporting process outlined in the project’s security policy.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
