High-Severity Node.js Flaws Expose Windows Apps to Path Traversal (CVE-2025-27210) & HashDoS (CVE-2025-27209) Attacks
Ddos 
The OpenJS Foundation has released important updates to Node.js 24.x, 22.x, and 20.x release lines, addressing two high-severity vulnerabilities—CVE-2025-27210 and CVE-2025-27209—that pose risks to Windows-based applications and web services relying on JavaScript’s V8 engine.
These issues, involving path traversal bypass and hash collision denial-of-service (HashDoS), impact millions of backend and full-stack applications globally.
CVE-2025-27210: Path Traversal Bypass Using Windows Device Names
Node.js applications on Windows platforms are vulnerable to a path normalization flaw that allows attackers to bypass directory traversal protections using special device names like CON, PRN, or AUX.
“An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX,” the OpenJS Foundation reported.
The vulnerability lies in how the path.normalize() and path.join() APIs handle device names. Attackers can exploit this behavior to manipulate filesystem paths and potentially access unauthorized files or directories.
CVE-2025-27209: HashDoS Reintroduced via rapidhash in V8
The second vulnerability, affecting Node.js 24.x users, arises from recent changes to the string hashing algorithm in the V8 JavaScript engine. The update introduced rapidhash, which—despite performance benefits—reopened the door to HashDoS attacks.
“An attacker who can control the strings to be hashed can generate many hash collisions—even without knowing the hash-seed,” the Node.js team explained.
Although the V8 team did not classify this behavior as a security flaw, Node.js maintainers overrode that position, citing real-world impact and risk.
“The Node.js project considers it [a vulnerability] due to its potential impact in real-world scenarios,” the advisory affirms.
HashDoS attacks can cripple backend services by overwhelming hash tables, significantly degrading server performance.
Patch Versions Now Available
To address these vulnerabilities, the OpenJS Foundation has released:
Related Posts:
- Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
- Node.js to Issue CVE for End-of-Life Versions
- Node.js Expands CVE Coverage for EOL Releases Despite MITRE Rejection
- VMware Cloud Foundation Vulnerable to Unauthorized Access and Data Exposure
- Multiple Critical Security Vulnerabilities Found in Node.js
Donate