Detections
Analytics

Node.js 20.x < 20.19.4 / 22.x < 22.17.1 / 24.x < 24.4.1 Multiple Vulnerabilities (Tuesday, July 15, 2025 Security Releases).

critical Nessus Plugin ID 242134

Language:

Synopsis

Node.js - JavaScript run-time environment is affected by multiple vulnerabilities.

Description

The version of Node.js installed on the remote host is prior to 20.19.4, 22.17.1, 24.4.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Tuesday, July 15, 2025 Security Releases advisory.

 - The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. While the V8 team does not classify this as a security vulnerability, the Node.js project considers it one due to its potential impact in real-world scenarios. Impact: Thank you, to sharp_edged for reporting this vulnerability and thank you targos for fixing it. (CVE-2025-27209)

 - An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of path.join API. Impact: Thank you, to oblivionsage for reporting this vulnerability and thank you RafaelGSS for fixing it.
 (CVE-2025-27210)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 20.19.4 / 22.17.1 / 24.4.1 or later.

See Also

https://nodejs.org/en/blog/vulnerability/july-2025-security-releases/

Plugin Details

Severity: Critical

ID: 242134

File Name: nodejs_2025_jul_15.nasl

Version: 1.2

Type: local

Agent: windows, macosx, unix

Family: Misc.

Published: 7/15/2025

Updated: 7/18/2025

Configuration: Enable thorough checks (optional)

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2025-27209

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:nodejs:node.js

Required KB Items: installed_sw/Node.js

Exploit Ease: No known exploits are available

Patch Publication Date: 7/15/2025

Vulnerability Publication Date: 7/15/2025

Reference Information

CVE: CVE-2025-27209, CVE-2025-27210

IAVB: 2025-B-0120