CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27209
https://notcve.org/view.php?id=CVE-2025-27209
18 Jul 2025 — The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users. • https://nodejs.org/en/blog/vulnerability/july-2025-security-releases • CWE-407: Inefficient Algorithmic Complexity •
CVSS: 7.8EPSS: 1%CPEs: 19EXPL: 4CVE-2025-27210 – NodeJS 24.x - Path Traversal
https://notcve.org/view.php?id=CVE-2025-27210
16 Jul 2025 — An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API. • https://packetstorm.news/files/id/207136 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 21EXPL: 0CVE-2025-23166 – nodejs: Remote Crash via SignTraits::DeriveBits() in Node.js
https://notcve.org/view.php?id=CVE-2025-23166
19 May 2025 — The C++ method SignTraits::DeriveBits() may incorrectly call ThrowException() based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary to remotely crash a Node.js runtime. A flaw was found in Node.js, specifically in the C++ method SignTraits::DeriveBits(). This vulnerability can allow a remote attacker to crash the Node.js runtime via untrust... • https://nodejs.org/en/blog/vulnerability/may-2025-security-releases • CWE-248: Uncaught Exception •