What are CVE-2025-27210 and CVE-2025-27209 vulnerabilities in Node.js, and how can Windows applications protect against these high-severity flaws?

The OpenJS Foundation has released critical security patches for Node.js versions 20.x, 22.x, and 24.x to address two high-severity vulnerabilities—CVE-2025-27210 and CVE-2025-27209. CVE-2025-27210 exposes Windows applications to path traversal attacks using special device names like CON and AUX, while CVE-2025-27209 introduces HashDoS risks through hash collisions in Node.js 24.x’s updated string hashing algorithm. These vulnerabilities can lead to unauthorized file access and backend service disruptions. Developers are strongly advised to update Node.js to the latest secure versions and implement robust input validation and server hardening measures to protect against exploitation.

  Security News & Threat Intelligence   Jul 16, 2025   188  Add to Reading List
What are CVE-2025-27210 and CVE-2025-27209 vulnerabilities in Node.js, and how can Windows applications protect against these high-severity flaws?

The OpenJS Foundation has issued urgent security advisories addressing two critical vulnerabilities in Node.js that pose a serious threat specifically to Windows applications. These flaws—CVE-2025-27210 and CVE-2025-27209—affect widely used Node.js versions, including 20.x, 22.x, and 24.x, and could enable attackers to exploit Windows-specific behaviors or launch denial-of-service (DoS) attacks on servers.

What Happened?

Two high-severity vulnerabilities were identified and patched in Node.js, impacting Windows-based applications and backend services:

CVE-2025-27210 — Path Traversal via Windows Device Names

  • Severity: High

  • Affected Versions: Node.js 20.x, 22.x, 24.x

  • Impact: Unauthorized file access

  • Environment: Windows only

How It Works:

Attackers can manipulate Windows-specific device names such as:

  • CON

  • PRN

  • AUX

By exploiting how Node.js functions like path.normalize() and path.join() handle these names, an attacker could traverse file paths or access sensitive files not meant for exposure.

Real-World Example:

If an application allows users to upload files using Node.js and doesn't validate file names properly, a crafted file name such as CON or AUX could allow bypassing security restrictions.

CVE-2025-27209 — Hash Collision Denial of Service (HashDoS)

  • Severity: High

  • Affected Versions: Node.js 24.x

  • Impact: Denial of Service (DoS)

  • Environment: Cross-platform

What Happened:

The vulnerability arises due to changes in Node.js 24.x's V8 engine using a new string hashing algorithm called rapidhash.

By sending specially crafted input with repeated hash collisions, attackers can overload:

  • Web servers

  • Backend APIs

  • Authentication services

Why It Matters:

This reintroduces an old risk where hash collisions consume excessive CPU resources, leading to:

  • Application slowdown

  • Outages

  • Increased hosting costs

Why It’s Dangerous for Windows Applications

  • Windows-specific attack surface: CVE-2025-27210 directly exploits Windows file system behavior.

  • HashDoS risk: Modern Node.js applications use user-generated input extensively—particularly APIs and forms—which are prime targets for HashDoS.

If left unpatched, companies risk:

  • Unauthorized data access

  • Backend service crashes

  • Financial losses due to downtime

MITRE CVSS Scores (Expected Ratings)

Vulnerability Severity CVSS v3 Score (Estimate)
CVE-2025-27210 High 7.8
CVE-2025-27209 High 7.5

How to Patch Your Node.js Environment

The OpenJS Foundation has released fixed versions addressing both vulnerabilities:

Action Steps:

  • Upgrade Node.js to the latest patched versions.

  • Review application code for unsafe usage of path.normalize() and path.join().

  • Apply strict input validation and sanitization rules.

Security Best Practices for Node.js Developers

  • Always validate file names and paths, especially in upload handlers.

  • Set strict Content Security Policies (CSP) to minimize exposure from path traversal.

  • Implement request rate limiting and monitoring to detect HashDoS attempts.

  • Use security libraries like Helmet.js and OWASP NodeGoat for hardening.

Conclusion

These two high-severity Node.js vulnerabilities underscore why regular security updates and monitoring are critical. While open-source libraries like Node.js offer tremendous flexibility, they also introduce risks that developers must proactively manage.

By upgrading immediately and auditing your Node.js codebase, you can shield your applications from unauthorized file access and denial-of-service attacks—especially in Windows environments.

FAQs 

What is CVE-2025-27210 in Node.js?

CVE-2025-27210 is a high-severity path traversal vulnerability in Node.js affecting Windows environments, allowing attackers to access unauthorized files using special device names like CON and AUX.

What is CVE-2025-27209 in Node.js?

CVE-2025-27209 is a high-severity vulnerability related to Hash Collision Denial of Service (HashDoS) in Node.js 24.x, caused by changes in the string hashing algorithm (rapidhash).

Which Node.js versions are affected by CVE-2025-27210?

Node.js versions 20.x, 22.x, and 24.x on Windows are affected by CVE-2025-27210.

Which Node.js versions are affected by CVE-2025-27209?

Node.js 24.x versions are impacted by CVE-2025-27209.

Why is CVE-2025-27210 dangerous?

It allows attackers to bypass security restrictions and access or manipulate files in unauthorized directories on Windows systems.

Why is CVE-2025-27209 dangerous?

Attackers can overload servers using crafted input that causes excessive hash collisions, leading to denial-of-service.

How do attackers exploit CVE-2025-27210?

By passing special device names through file system functions like path.normalize() and path.join() to traverse or access restricted files.

What is HashDoS in Node.js?

HashDoS (Hash Collision Denial of Service) occurs when an attacker sends many inputs that result in the same hash, overloading server resources.

What is rapidhash in Node.js 24.x?

Rapidhash is a string hashing algorithm introduced in Node.js 24.x, which unintentionally reintroduced HashDoS vulnerabilities.

How can I check if my Node.js version is vulnerable?

Run node -v in your terminal. If it shows a version in 20.x, 22.x, or 24.x and hasn’t been updated since July 2025, it may be vulnerable.

How do I patch Node.js for CVE-2025-27210 and CVE-2025-27209?

Update to the latest secure versions: v20.19.4, v22.17.1, or v24.4.1 using Node.js official download links.

Where can I download the patched Node.js versions?

You can download patched versions from the official Node.js website or the links provided by the OpenJS Foundation.

Does this vulnerability affect Linux or Mac systems?

CVE-2025-27210 specifically affects Windows systems. CVE-2025-27209 can impact all systems running Node.js 24.x.

How does path.normalize() contribute to this vulnerability?

Path normalization mishandles Windows device names, allowing attackers to bypass restrictions through crafted input.

What should Windows developers do immediately?

Update Node.js versions, review code handling file paths, and implement validation for file names and paths.

How common are HashDoS attacks?

HashDoS attacks have been known for years and can significantly impact high-traffic servers if not mitigated.

Can HashDoS affect APIs built with Node.js?

Yes, especially if APIs handle user-generated input that is not properly validated.

What is the official fix for CVE-2025-27210?

The OpenJS Foundation patched the vulnerable path handling functions in Node.js v20.19.4, v22.17.1, and v24.4.1.

What is the official fix for CVE-2025-27209?

The Node.js team adjusted the rapidhash algorithm to mitigate hash collision issues in version 24.4.1.

How do I verify if my application is safe after updating?

Test your application against common path traversal and HashDoS vectors using security testing tools and input fuzzers.

Can third-party packages in Node.js contribute to this risk?

Yes, insecure packages may use vulnerable functions like path.join() without validation.

What is the role of OpenJS Foundation in Node.js security?

The OpenJS Foundation oversees Node.js development and releases official security advisories and patches.

Are there specific libraries that can help mitigate these risks?

Libraries like Helmet.js for HTTP security and middleware for input sanitization can help harden applications.

What does CVSS score mean in these vulnerabilities?

The Common Vulnerability Scoring System (CVSS) assigns severity ratings based on impact, complexity, and exploitability.

Should backend teams prioritize patching for these vulnerabilities?

Yes, especially for Windows-based Node.js servers and applications handling sensitive user data.

Is downgrading Node.js a safe temporary solution?

No. Downgrading is not recommended as it may expose other unpatched vulnerabilities.

What proactive steps can Node.js developers take?

Regularly update dependencies, audit code for unsafe file handling, and monitor Node.js security announcements.

Can this vulnerability be exploited remotely?

Yes, especially if the application accepts user input over the web or API endpoints.

How can enterprises protect large Node.js deployments?

Implement automated patch management, regular code audits, and robust application firewalls.

Is there a GitHub advisory for CVE-2025-27210 and CVE-2025-27209?

Yes, security advisories are published on both GitHub’s Node.js repository and the OpenJS Foundation’s official channels.

Join Our Upcoming Class!

Tags