CVE-2025-27210 is a vulnerability in the Node.js runtime environment specifically affecting the path.join API on Windows platforms. The issue arises from an incomplete remediation of a prior vulnerability (CVE-2025-23084) that involved improper handling of Windows reserved device names like CON, PRN, and AUX. These device names are special system identifiers in Windows that can cause unexpected behavior when used in file paths. The vulnerability allows an attacker to craft malicious input to the path.join function, potentially bypassing intended path restrictions and causing the application to access or disclose sensitive files. The CVSS v3.0 score of 7.5 reflects a high severity due to the vulnerability's network attack vector, low attack complexity, and no requirement for privileges or user interaction. The impact is primarily on confidentiality, as unauthorized file access could expose sensitive data. The vulnerability affects Node.js versions 20.0.0, 22.0.0, and 24.0.0, which are commonly used in modern web and server-side applications. No public exploits have been reported yet, but the vulnerability is critical enough to warrant immediate attention. The CWE-22 classification indicates a path traversal or directory traversal weakness, emphasizing the need for input validation and secure path handling. Since the vulnerability is specific to Windows device names, it only affects Node.js deployments on Windows systems. The lack of available patches at the time of publication means organizations must implement interim mitigations and monitor for vendor updates.

For European organizations, this vulnerability poses a significant risk to confidentiality, especially for those running Node.js applications on Windows servers that handle sensitive or regulated data such as personal information, financial records, or intellectual property. Exploitation could lead to unauthorized disclosure of files, potentially violating GDPR and other data protection regulations. The vulnerability's presence in widely used Node.js versions means many enterprises, including software development firms, cloud service providers, and critical infrastructure operators, could be affected. The ease of exploitation without authentication or user interaction increases the threat level, making automated attacks feasible. Organizations relying on Windows-based Node.js environments for web services, APIs, or backend processing are particularly vulnerable. The impact on integrity and availability is minimal based on current information, but confidentiality breaches alone can cause substantial reputational and financial damage. Additionally, the incomplete fix suggests that previous mitigation efforts were insufficient, highlighting the need for thorough patch management and code review. The absence of known exploits in the wild provides a window for proactive defense but should not lead to complacency.

European organizations should immediately audit their Node.js environments to identify usage of affected versions (20.0.0, 22.0.0, 24.0.0) on Windows platforms. Until official patches are released, developers should implement strict input validation and sanitization for any file path inputs, explicitly disallowing reserved Windows device names such as CON, PRN, AUX, NUL, COM1-COM9, and LPT1-LPT9. Avoid using path.join with untrusted input or implement custom wrappers that enforce safe path construction. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAF) with rules to detect and block suspicious path traversal attempts targeting device names. Monitor Node.js vendor channels and security advisories closely for patch releases and apply updates promptly. Conduct code reviews focusing on file system access patterns and consider isolating Node.js applications in containers or sandboxes to limit potential damage. Implement logging and alerting on unusual file access patterns to detect exploitation attempts early. Finally, educate development teams about the risks of improper path handling and the specifics of Windows device name vulnerabilities.