CVE-2025-23084 - Node.js Path Handling Vulnerability on Windows Exposes Root Directory via `path.join`

Date Published: June 2024
CVE: CVE-2025-23084
Platform: Windows
Component: Node.js (Affected path utilities, specifically path.join)

Introduction

A new vulnerability, CVE-2025-23084, has been discovered in Node.js, specifically related to how Windows file paths with drive names are handled. Functions like path.join mistakenly treat some paths as relative, when they actually point to the root directory of a given drive. This subtle bug could allow attackers—or even just unprivileged code—to unexpectedly reference and operate on files in the root of any drive, not just in a "safe" sandboxed directory.

Let’s break down exactly what this means, how it can be abused, and what you can do to protect yourself or your users.

What’s the Vulnerability?

On Windows, a file path like C:\example.txt explicitly refers to a file on the root of the C: drive.
A relative file path, like example.txt, refers to a location starting from the current directory.

In Node.js, the path.join method is commonly used to construct paths, and it’s supposed to treat all arguments as path segments, joining them in a safe way.

However, if one of the segments is actually a drive name (e.g. C:foo.txt or D:bar.log), Node’s path.join on Windows doesn’t treat these as “special”. It acts as if you’re joining a relative path, but Windows will treat C:foo.txt as relative to the current directory of the C: drive, or worse, as referring to the root, depending on context.

This means

- Instead of containing an operation to a specific folder, untrusted input could allow someone to reference or write to the root of a drive, bypassing basic path traversal protections.

Let’s suppose you want to save logs to a file inside a safe logs directory

const path = require('path');
const fs = require('fs');

function saveLog(filename, data) {
  const logPath = path.join('logs', filename);
  fs.writeFileSync(logPath, data);
}

Expected Usage

saveLog('2024-06-01.log', 'Example log entry');
// Intended: logs/2024-06-01.log

Attack Example

But what if an attacker supplies a file name like C:malicious.log?

saveLog('C:malicious.log', 'Hacked!');
// Actually writes: C:\malicious.log

The code above attempts to save to logs/C:malicious.log, but on Windows, this resolves to the root of the C: drive, not the application's logs directory! Your app has accidentally written a file to the root of the system's C: drive!

Why Does This Happen?

Quoting from official Node.js docs (Path Methods on Windows):
> On Windows, absolute paths are hard to determine because of drive-relative paths and device paths.

In particular, if you pass a string like C:foo.txt to Node’s path.join, it doesn’t recognize the drive prefix as making the path absolute. Thus, when Windows uses it, you’re pointed at the drive's current working directory, which is often the drive root.

How Could This Be Exploited?

- Bypassing directory protection: You try to restrict users to save or read files only inside their own folders, but they give you a file name like D:pwnd.log.
- Accessing system files: If the process runs with enough privileges, attackers could read or overwrite files at the base of any mounted drive.
- Log/backup manipulation: Disrupting logs or backups by redirecting them outside the intended directories.

Reject file names containing drive letters or path separators, especially : and \ on Windows.

- Use sanitize-filename or a similar library.

function isSafeFilename(filename) {
  // Only allow alphanumeric and dashes
  return /^[a-zA-Z-9._-]+$/.test(filename);
}

Always Use Absolute Directories:

- After joining paths, use path.resolve to ensure the final path is inside your intended directory.

function safeJoin(base, filename) {
  const joined = path.join(base, filename);
  const resolved = path.resolve(joined);
  if (!resolved.startsWith(path.resolve(base))) {
    throw new Error('Path traversal or drive abuse detected!');
  }
  return resolved;
}

Upgrade to the latest version of Node.js when a patch addressing this issue is released.

- Track discussion: Node.js GitHub Issue.

References

- Official Node.js path.join Docs
- Node.js Path Security Best Practices
- sanitize-filename npm package
- CVE-2025-23084 MITRE Entry
- Original Node.js issue report *(when/if available)*

Summary

CVE-2025-23084 is a newly identified flaw in Node.js for Windows, where the path utilities mishandle drive names, potentially allowing unprivileged code to access the root directory of any drive. This is particularly dangerous for applications using untrusted input in file paths.

The fix: Always sanitize file names and double-check real paths after joining, especially on Windows. Watch for Node.js updates, and audit your code for unsafe path joins.

Timeline

Published on: 01/28/2025 05:15:11 UTC
Last modified on: 01/28/2025 16:15:40 UTC