InfoSecBulletin Cybersecurity for mankind
The OpenJS Foundation has updated Node.js 24.x, 22.x, and 20.x to fix two serious vulnerabilities—CVE-2025-27210 and CVE-2025-27209—that could endanger Windows applications and web services using JavaScript’s V8 engine.
These issues, involving path traversal bypass and hash collision denial-of-service (HashDoS), impact millions of backend and full-stack applications globally.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
CVE-2025-27210: Path Traversal Bypass Using Windows Device Names
Node.js applications on Windows platforms are vulnerable to a path normalization flaw that allows attackers to bypass directory traversal protections using special device names like CON, PRN, or AUX.
“An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX,” the OpenJS Foundation reported.
The vulnerability is in how path.normalize() and path.join() handle device names, allowing attackers to manipulate filesystem paths and access unauthorized files or directories.
CVE-2025-27209: HashDoS Reintroduced via rapidhash in V8
A second vulnerability affects Node.js 24.x users due to changes in the string hashing algorithm of the V8 JavaScript engine. The update added rapidhash, leading to potential HashDoS attacks despite its performance advantages.
“An attacker who can control the strings to be hashed can generate many hash collisions—even without knowing the hash-seed,” the Node.js team explained.
Although the V8 team did not classify this behavior as a security flaw, Node.js maintainers overrode that position, citing real-world impact and risk.
“The Node.js project considers it [a vulnerability] due to its potential impact in real-world scenarios,” the advisory affirms.
HashDoS attacks can harm backend services by overloading hash tables, leading to poor server performance.
Patch Versions Now Available
To address these vulnerabilities, the OpenJS Foundation has released:
Node.js v20.19.4
Node.js v22.17.1
Node.js v24.4.1
