CVE-2025-27210 is a high-severity vulnerability affecting the Node.js runtime environment, specifically its 'path.join' API on Windows platforms. This vulnerability is an incomplete fix of a previous issue identified as CVE-2025-23084. The root cause relates to improper handling of Windows reserved device names such as CON, PRN, and AUX within the 'path.join' function. These reserved names are special device files in Windows that can cause unexpected behavior if used improperly in file path operations. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), indicating a directory traversal or path manipulation flaw. The CVSS 3.0 score of 7.5 (High) reflects that the vulnerability can be exploited remotely (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. Exploiting this vulnerability could allow an attacker to access sensitive files or directories by manipulating file paths using these reserved device names, bypassing intended access controls. The vulnerability affects Node.js versions 20.0.0, 22.0.0, and 24.0.0 on Windows systems. No known exploits are currently observed in the wild, and no patches have been linked yet, indicating that mitigation may require vendor updates or workarounds. Given Node.js's widespread use in server-side applications, especially in web services, this vulnerability poses a significant risk to Windows-based Node.js deployments that handle file system operations involving user input or untrusted data.

For European organizations, this vulnerability presents a substantial risk, particularly for those running Node.js applications on Windows servers. Exploitation could lead to unauthorized disclosure of sensitive information by accessing files that should be restricted, potentially exposing personal data, intellectual property, or configuration files containing credentials. This is especially critical for sectors like finance, healthcare, and government, where data confidentiality is paramount and regulated under GDPR. The lack of required privileges or user interaction lowers the barrier for attackers, increasing the likelihood of exploitation. Additionally, organizations relying on Node.js for internal tools or customer-facing services may face reputational damage and compliance violations if sensitive data is leaked. The incomplete fix nature suggests that even patched systems might remain vulnerable until a comprehensive update is released, prolonging exposure. The absence of known exploits in the wild currently reduces immediate risk but does not preclude targeted attacks or future exploitation once proof-of-concept code becomes available.

European organizations should take immediate steps to mitigate this vulnerability beyond waiting for official patches. First, audit all Node.js applications running on Windows to identify usage of the 'path.join' API, especially where input is derived from untrusted sources. Implement strict input validation and sanitization to reject or safely handle reserved Windows device names (CON, PRN, AUX, etc.) in file paths. Employ application-layer whitelisting to restrict file system access to known safe directories. Consider deploying runtime monitoring tools to detect anomalous file access patterns indicative of exploitation attempts. Where feasible, isolate Node.js applications in sandboxed environments or containers with limited file system permissions to minimize potential damage. Stay informed on Node.js security advisories for forthcoming patches addressing this incomplete fix and plan timely updates. Additionally, conduct security awareness training for developers to understand the risks of path manipulation and secure coding practices related to file system operations on Windows.