v20.19.4
Breaking Changes📦 node-jsView on GitHub →
⚠ 1 breaking🐛 1 fixes🔧 2 symbols
Summary
This security release addresses CVE-2025-27210, fixing a path traversal protection bypass in path.normalize() related to Windows reserved device names.
⚠️ Breaking Changes
- The path.normalize() function on Windows now correctly handles reserved device names (CON, PRN, AUX, etc.), which may change the output for paths previously exploiting these names to bypass traversal protections.
Migration Steps
- Update Node.js to the latest security release to ensure path.normalize() correctly handles Windows reserved device names.
🐛 Bug Fixes
- Fixed a security vulnerability (CVE-2025-27210) where Windows device names could bypass path traversal protection in path.normalize().