The Node.js project has released critical security updates across multiple release lines to address two high-severity vulnerabilities affecting Windows applications and V8 engine implementations.
Security releases are now available for Node.js versions 20.x, 22.x, and 24.x, with patches addressing a path traversal bypass and a HashDoS attack vector that could significantly impact application security and performance.
Key Takeaways
1. Node.js patched two high-severity flaws - Windows path traversal bypass (CVE-2025-27210) and V8 HashDoS attack (CVE-2025-27209).
2. Windows apps on Node.js 20.x, 22.x, 24.x vulnerable to path traversal; V8 HashDoS impacts only 24.x users.
3. Attackers can access unauthorized files via Windows device names and cause service disruption through hash collisions.
4. Update immediately to patched versions - v20.19.4, v22.17.1, and v24.4.1.Windows Path Traversal Vulnerability
A critical vulnerability identified as CVE-2025-27210 has been discovered in Node.js, specifically targeting Windows device names including CON, PRN, and AUX.
This high-severity issue represents an incomplete fix for the previously patched CVE-2025-23084, demonstrating how attackers can bypass path traversal protection mechanisms in the path.normalize() function.
The vulnerability affects all Windows users utilizing the path.join() API across active release lines 20.x, 22.x, and 24.x.
When processing file paths containing Windows reserved device names, the path.normalize() function fails to properly sanitize inputs, allowing attackers to traverse directory structures and potentially access sensitive files outside the intended scope.
This directory traversal attack could enable unauthorized file system access, configuration file exposure, or arbitrary file reading depending on application permissions.
The technical implementation flaw occurs when the normalization process encounters Windows-specific device names, which are treated as special system files by the operating system.
Attackers can craft malicious paths like ../../../CON/../../sensitive.txt to bypass security controls that should prevent access to parent directories.
V8 HashDoS Vulnerability
The second vulnerability, CVE-2025-27209, affects the V8 JavaScript engine used in Node.js v24.0.0, introducing a Hash Denial of Service (HashDoS) attack vector.
This high-severity issue stems from changes in how the V8 engine computes string hashes using the rapidhash implementation, which reintroduces collision-based vulnerabilities.
The HashDoS attack allows malicious actors to generate numerous hash collisions by controlling input strings, even without knowledge of the hash seed.
This can lead to algorithmic complexity attacks where hash table operations degrade from O(1) to O(n) performance, potentially causing severe application slowdowns or complete service disruption.
Unlike traditional hash collision attacks that require knowledge of internal hash functions, this vulnerability enables attackers to craft collision-prone strings that force the hash table into worst-case performance scenarios.
Applications processing user-controlled data through hash-based data structures become particularly vulnerable to CPU exhaustion attacks.
The Node.js project has prioritized this as a security vulnerability despite the V8 team’s classification, recognizing its potential impact in real-world deployment scenarios where application availability is critical.
CVE Title Affected Products CVSS 3.1 Score Severity CVE-2025-27210 Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize() Node.js 20.x, 22.x, 24.x 7.5 High CVE-2025-27209 HashDoS in V8 Node.js 24.x 7.5 High Organizations running Node.js applications should immediately update to the latest patched versions: Node.js v20.19.4, v22.17.1, and v24.4.1.
The security releases address both vulnerabilities with comprehensive fixes developed by the Node.js security team in collaboration with vulnerability researchers oblivionsage, sharp_edged, RafaelGSS, and targos.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Node.js Vulnerabilities Exposes Windows App to Path Traversal and HashDoS Attacks appeared first on Cyber Security News.
16 July 2025>> Read More