CVE-2025-27210 PoC — Node.js 路径遍历漏洞

Source

Associated Vulnerability

Description

(PoC) CVE-2025-27210, a precise Path Traversal vulnerability affecting Node.js applications running on Microsoft Windows. This vulnerability leverages the specific way Windows handles reserved device file names 

Readme

# CVE-2025-27210_NodeJS_Path_Traversal_Exploiter

Proof of Concept CVE-2025-27210, a precise Path Traversal vulnerability affecting Node.js applications running on Microsoft Windows. This vulnerability leverages the specific way Windows handles reserved device file names (e.g., AUX, CON, NUL) when combined with directory traversal sequences (../) within file paths processed by functions like path.join() or path.normalize().


```
python CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py  -t http://localhost:3000/download -f C:\\Windows\System32\drivers\etc\hosts
```

--------------------------------------------------------------------------------
![Node.js](poc1.jpg)
--------------------------------------------------------------------------------
![Node.js](poc(2).jpg)


The vulnerability was reported by:
@theoblivionsage
https://x.com/theoblivionsage
| https://hackerone.com/oblivionsage

File Snapshot

 [4.0K]  /data/pocs/18bb39436e762062c2203edfa7402d8481b32d91
├── [5.8K]  CVE-2025-27210_NodeJS_Path_Traversal_Exploiter.py
├── [ 11K]  LICENSE
├── [180K]  poc1.jpg
├── [118K]  poc(2).jpg
└── [ 900]  README.md

0 directories, 5 files

Remarks