InfoSecBulletin Cybersecurity for mankind
The OpenJS Foundation has updated Node.js 24.x, 22.x, and 20.x to fix two serious vulnerabilities—CVE-2025-27210 and CVE-2025-27209—that could endanger Windows applications and web services using JavaScript’s V8 engine.
These issues, involving path traversal bypass and hash collision denial-of-service (HashDoS), impact millions of backend and full-stack applications globally.
Node.js Flaws Expose Windows Apps to Path Traversal & HashDoS Attacks
Broadcom fixes multiple vulnerabilities in VMware ESXi, Workstation, and Fusion
Oracle Patched 309 Vulnerabilities with 145 Remotely Exploitable Flaw
Microsoft Extends 365 Support Until 2028 with ESU Program
Meta’s $100B AI Push: Gigawatt-Size Data Centers Spark Water Crisis
4 vulns impact Gigabyte motherboards to UEFI malware bypassing Secure Boot
Wing FTP 2000+ Servers Exposed Online: Actively Exploiting
CVE-2025-7503 (CVSS 10)
Backdoor in popular IP Camera Allows Hackers Root Access
(CVE-2025-25257)
Patch Urgently! Exploits for pre-auth Fortinet FortiWeb RCE flaw released
GP launched appless ‘GP Shield’ to protect mobile for only 50 TK
CVE-2025-27210: Path Traversal Bypass Using Windows Device Names
Node.js applications on Windows platforms are vulnerable to a path normalization flaw that allows attackers to bypass directory traversal protections using special device names like CON, PRN, or AUX.
“An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX,” the OpenJS Foundation reported.
The vulnerability is in how path.normalize() and path.join() handle device names, allowing attackers to manipulate filesystem paths and access unauthorized files or directories.
CVE-2025-27209: HashDoS Reintroduced via rapidhash in V8
A second vulnerability affects Node.js 24.x users due to changes in the string hashing algorithm of the V8 JavaScript engine. The update added rapidhash, leading to potential HashDoS attacks despite its performance advantages.
“An attacker who can control the strings to be hashed can generate many hash collisions—even without knowing the hash-seed,” the Node.js team explained.
Although the V8 team did not classify this behavior as a security flaw, Node.js maintainers overrode that position, citing real-world impact and risk.
“The Node.js project considers it [a vulnerability] due to its potential impact in real-world scenarios,” the advisory affirms.
HashDoS attacks can harm backend services by overloading hash tables, leading to poor server performance.
Patch Versions Now Available
To address these vulnerabilities, the OpenJS Foundation has released:
Node.js v20.19.4
Node.js v22.17.1
Node.js v24.4.1
