Node.js has released security updates addressing two high-severity vulnerabilities affecting all active release lines, including versions 20.x, 22.x, and 24.x.
The patches were made available on July 15, 2025, targeting critical security flaws that could potentially compromise Windows systems and enable denial-of-service attacks.
Windows Device Names Bypass Vulnerability
The first vulnerability, designated CVE-2025-27210, represents an incomplete fix for a previously addressed security issue (CVE-2025-23084).
This high-severity flaw specifically affects Windows device names including CON, PRN, and AUX, which can bypass path traversal protection mechanisms in the path.normalize() function.
The vulnerability impacts Windows users utilizing the path.join API across all active Node.js release lines. Security researcher oblivionsage reported this issue, with RafaelGSS providing the necessary fix.
HashDoS Attack Vector in V8 Engine
The second vulnerability, CVE-2025-27209, introduces a Hash Denial of Service (HashDoS) attack vector within the V8 JavaScript engine used in Node.js v24.0.0.
This security flaw emerged from changes to string hash computation using the rapidhash algorithm, which inadvertently reintroduced collision vulnerabilities.
Attackers can exploit this by controlling input strings to generate numerous hash collisions without requiring knowledge of the hash seed, potentially causing system performance degradation.
While the V8 development team does not classify this as a security vulnerability, the Node.js project considers it critical due to real-world exploitation potential.
Security researcher sharp_edged identified this issue, with Targos implementing the resolution.
Updated Releases and Security Recommendations
The security updates are available through Node.js versions 20.19.4, 22.17.1, and 24.4.1.
The Node.js project emphasizes that End-of-Life versions remain vulnerable during security releases, strongly recommending users upgrade to supported versions according to the official Release Schedule.
Users can access the current security policy and vulnerability reporting procedures through the project’s official documentation while staying informed through the nodejs-sec mailing list for future security announcements.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The patches were made available on July 15, 2025, targeting critical security flaws that could potentially compromise Windows systems and enable denial-of-service attacks.){kind=link}