Cyber Security

Critical Node.js Vulnerabilities Expose Windows Applications to Path Traversal and HashDoS Attacks

Critical Security Updates Released for Node.js Applications

by William
by William
Cyber Security Matters. Spread the Word.

Node.js vulnerabilities have reached critical severity levels with two high-impact flaws affecting multiple release lines. The Node.js project released emergency security patches on July 15, 2025, addressing CVE-2025-27210 and CVE-2025-27209. These vulnerabilities pose significant risks to Windows applications and enable denial-of-service attacks across active Node.js versions.

Security researchers discovered these flaws affect versions 20.x, 22.x, and 24.x. The vulnerabilities demonstrate how incomplete security fixes create persistent attack vectors. Organisations running Node.js applications must prioritise immediate updates to mitigate these security risks.

Understanding CVE-2025-27210: Windows Path Traversal Vulnerability

Windows Device Names Bypass Path Protection

The Windows path traversal (CVE-2025-27210) vulnerability allows attackers to exploit Windows device names. Reserved device names like CON, PRN, and AUX bypass path traversal protection mechanisms. This flaw affects the path.normalize() function in Node.js applications.

Security researcher oblivionsage discovered this vulnerability. The issue demonstrates incomplete security fixes from previous patches. Attackers can potentially access unauthorised system resources or sensitive file locations.

Impact on Windows-Based Node.js Applications

Windows-based Node.js applications face widespread security concerns. The vulnerability affects all users across active release lines. This creates significant exposure for production environments running on Windows systems.

Step-by-Step Attack Scenario

  1. Attacker identifies target: Malicious actor finds Node.js application using path.normalize()
  2. Crafts malicious input: Attacker constructs payload using Windows device names (CON, PRN, AUX)
  3. Bypasses protection: Device names circumvent path traversal protection mechanisms
  4. Accesses restricted resources: Unauthorised access to system files or sensitive directories
  5. Potential data exfiltration: Sensitive information may be exposed or modified

Examining CVE-2025-27209: HashDoS Attack Through V8 Engine

RapidHash Implementation Flaw

The HashDoS attack (CVE-2025-27209) targets the V8 JavaScript engine’s string hashing implementation. Node.js v24.0.0 modified string hash computation to use rapidhash. This change inadvertently reintroduced a hash collision vulnerability.

Sharp_edged reported this vulnerability, with fixes implemented by targos. The flaw allows attackers controlling input strings to generate numerous hash collisions. Knowledge of the hash seed is not required for exploitation.

Performance Degradation and Denial-of-Service

Applications processing user-controlled string data face performance degradation risks. Hash collisions can lead to potential denial-of-service conditions. The V8 development team does not classify this as a security vulnerability.

However, the Node.js project took a conservative approach. Real-world deployment scenarios recognise the potential impact. This vulnerability specifically affects Node.js v24.x users.

Security Updates and Mitigation Strategies

Released Security Patches

The Node.js project released updated versions addressing these Node.js vulnerabilities:

  • Node.js v20.19.4 (LTS)
  • Node.js v22.17.1 (LTS)
  • Node.js v24.4.1 (Current)

Immediate Action Required

Organisations must update their Node.js installations immediately. Windows systems and v24.x releases require priority attention. Top pen testing companies recommend thorough vulnerability assessments following these updates.

End-of-Life versions remain vulnerable during security releases. Maintaining current versions according to the official release schedule is crucial. Security teams should validate patch effectiveness through comprehensive testing.

Professional Penetration Testing Services

Comprehensive Security Assessment

Professional web application penetration testing identifies vulnerabilities before attackers exploit them. Regular security assessments ensure Node.js applications remain protected against emerging threats.

Aardwolf Security provides comprehensive penetration testing services for Node.js applications. Our expert team identifies security weaknesses and provides actionable remediation guidance. We specialise in Windows-based application security and V8 engine vulnerability assessment.

Contact Aardwolf Security today to schedule your Node.js security assessment. Our certified professionals ensure your applications remain secure against the latest Node.js vulnerabilities.

Frequently Asked Questions

What are the main Node.js vulnerabilities affecting Windows applications?

CVE-2025-27210 and CVE-2025-27209 are the primary Node.js vulnerabilities affecting Windows applications. CVE-2025-27210 enables Windows path traversal attacks through device names. CVE-2025-27209 creates HashDoS conditions through V8 engine flaws.

How does the Windows path traversal vulnerability work?

The Windows path traversal vulnerability exploits reserved device names like CON, PRN, and AUX. These names bypass path.normalize() protection mechanisms. Attackers can access unauthorised system resources or sensitive file locations.

What is a HashDoS attack in Node.js?

A HashDoS attack exploits hash collision vulnerabilities in string processing. Attackers control input strings to generate numerous hash collisions. This causes performance degradation and potential denial-of-service conditions.

Which Node.js versions are affected by these vulnerabilities?

Node.js versions 20.x, 22.x, and 24.x are affected by CVE-2025-27210. CVE-2025-27209 specifically affects Node.js v24.x. All Windows-based Node.js applications face potential risks.

How can I protect my Node.js applications from these vulnerabilities?

Update to the latest Node.js versions immediately: v20.19.4, v22.17.1, or v24.4.1. Implement comprehensive security testing and validation. Consider professional penetration testing services for thorough assessment.

When were these Node.js vulnerabilities discovered and patched?

Security researchers discovered these vulnerabilities in early 2025. The Node.js project released emergency security patches on July 15, 2025. Immediate updates are recommended for all affected versions.

Glossary

HashDoS: Hash Denial-of-Service attack exploiting hash collision vulnerabilities to degrade system performance

Path Traversal: Security vulnerability allowing unauthorised access to files and directories outside intended scope

V8 Engine: JavaScript engine powering Node.js and Chrome browser applications

CVE: Common Vulnerabilities and Exposures identifier for publicly disclosed security flaws

RapidHash: Hash function implementation used in V8 engine for string processing

Further Reading

  1. Node.js Official Security Releases
  2. OWASP Path Traversal Prevention

Cyber Security Matters. Spread the Word.

William is a seasoned cybersecurity professional with over a decade of experience in the realm of penetration testing. Having conducted hundreds of penetration tests for a diverse range of industries, Wiliam's expertise lies in identifying vulnerabilities and fortifying defences before they can be exploited by malicious actors. His meticulous approach to each penetration test ensures that clients receive comprehensive insights into their security posture, allowing them to make informed decisions about safeguarding their digital assets. Passionate about staying ahead of the ever-evolving threat landscape, William continuously updates his skills and methodologies to ensure that every penetration test he conducts meets the highest standards of thoroughness and accuracy. His dedication to the craft has not only protected countless organisations from potential breaches but has also solidified his reputation as a senior expert in penetration testing.

You may also like

Critical Railway Security Vulnerability: Hackers Can Now Control Train Brakes Remotely

A Guide to Today’s Most Treacherous Online Scams

Texas Porn Law Upheld: Supreme Court Mandates Age Verification

The Dangers of Vibe Coding

Advanced Screening CTF Walkthrough

Companies House Identity Verification: New Rules for Directors

Build Your Own VPN For Enhanced Online Security and Privacy

Default Credentials: How to Secure Your Systems

Understanding File Upload Vulnerabilities

Cartier Data Breach & The North Face Cyberattack