Node.js 20.19.4 LTS has been released to address a security issue related to bypassing path traversal protection in path.normalize() and commits to handle all Windows reserved driver names.
Node.js — Node v20.19.4 (LTS)
This is a security release.
Notable Changes
- (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits
- [
db7b93fcef] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
