Skip to content

feature: nodejs - CVE-2025-27210 - path traversal via device name on Windows #121

New issue
New issue
Open
Feature
Open
feature: nodejs - CVE-2025-27210 - path traversal via device name on Windows#121
Feature
Assignees
hyde-repo
Labels
VULN_WITH_CVE
@hyde-repo

Description

@hyde-repo
hyde-repo
opened on Aug 5, 2025

Add CVE‑2025‑27210 to the inventory.

An incomplete fix in Node.js allows attackers on Windows to exploit reserved device names like CON, PRN, and AUX when using path.join() or path.normalize(). This bypasses directory restrictions and enables access to arbitrary files.

Section: ctf/app/nodejs/
Type: path traversal / information disclosure

Windows only.

Metadata

Metadata

Assignees

Labels

VULN_WITH_CVE

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions