Node.js Vulnerabilities Exposes Windows App to Path Traversal and HashDoS Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
The Node.js project has released critical security updates across multiple release lines to address two high-severity vulnerabilities affecting Windows applications and V8 engine implementations.\u00a0<\/p>\n
Security releases are now available for Node.js versions 20.x, 22.x, and 24.x, with patches addressing a path traversal<\/a> bypass and a HashDoS attack vector that could significantly impact application security and performance.<\/p>\n A critical vulnerability identified as CVE-2025-27210 has been discovered in Node.js, specifically targeting Windows device names including CON, PRN, and AUX.\u00a0<\/p>\n This high-severity issue represents an incomplete fix for the previously patched CVE-2025-23084, demonstrating how attackers can bypass path traversal protection mechanisms in the path.normalize() function.<\/p>\n The vulnerability affects all Windows users utilizing the path.join() API across active release lines 20.x, 22.x, and 24.x.\u00a0<\/p>\n When processing file paths containing Windows<\/a> reserved device names, the path.normalize() function fails to properly sanitize inputs, allowing attackers to traverse directory structures and potentially access sensitive files outside the intended scope.\u00a0<\/p>\n This directory traversal attack could enable unauthorized file system access, configuration file exposure, or arbitrary file reading depending on application permissions.<\/p>\n The technical implementation flaw occurs when the normalization process encounters Windows-specific device names, which are treated as special system files by the operating system.\u00a0<\/p>\n Attackers can craft malicious paths like ..\/..\/..\/CON\/..\/..\/sensitive.txt to bypass security controls that should prevent access to parent directories.<\/p>\n The second vulnerability, CVE-2025-27209, affects the V8 JavaScript engine<\/a> used in Node.js v24.0.0, introducing a Hash Denial of Service (HashDoS) attack vector.\u00a0<\/p>\n This high-severity issue stems from changes in how the V8 engine computes string hashes using the rapidhash implementation, which reintroduces collision-based vulnerabilities.<\/p>\n The HashDoS attack allows malicious actors to generate numerous hash collisions by controlling input strings, even without knowledge of the hash seed.\u00a0<\/p>\n This can lead to algorithmic complexity attacks where hash table operations degrade from O(1) to O(n) performance, potentially causing severe application slowdowns or complete service disruption.<\/p>\n Unlike traditional hash collision attacks that require knowledge of internal hash functions, this vulnerability enables attackers to craft collision-prone strings that force the hash table into worst-case performance scenarios.\u00a0<\/p>\n Applications processing user-controlled data through hash-based data structures become particularly vulnerable to CPU exhaustion<\/a> attacks.<\/p>\n The Node.js project has prioritized this as a security vulnerability despite the V8 team\u2019s classification, recognizing its potential impact in real-world deployment scenarios where application availability is critical.<\/p>\nKey Takeaways<\/strong>
<\/mark>1. Node.js patched two high-severity flaws - Windows path traversal bypass (CVE-2025-27210) and V8 HashDoS attack (CVE-2025-27209).
2. Windows apps on Node.js 20.x, 22.x, 24.x vulnerable to path traversal; V8 HashDoS impacts only 24.x users.
3. Attackers can access unauthorized files via Windows device names and cause service disruption through hash collisions.
4. Update immediately to patched versions - v20.19.4, v22.17.1, and v24.4.1.<\/pre>\nWindows Path Traversal Vulnerability\u00a0<\/strong><\/h2>\n
V8 HashDoS Vulnerability\u00a0<\/strong><\/h2>\n