CVE-2025-27210 breaks Windows path.normalize() with device names; CVE-2025-27209 reintroduces HashDoS in V8's rapidhash—upgrade 20.x, 22.x, 24.x before July 15.
July 7, 2026
Summary
Windows developers using path.join are exposed to directory traversal attacks; all 24.x users face collision-based DoS on attacker-controlled string hashing. Mandatory upgrades block production deployments.
Why it matters
Windows developers using path.join are exposed to directory traversal attacks; all 24.x users face collision-based DoS on attacker-controlled string hashing. Mandatory upgrades block production deployments.
Implementation verdict
Patch version bumps (20.19.4, 22.17.1, 24.4.1) replace vulnerable builds. No code changes required—upgrade immediately after July 15 release. Both are high-severity, blocking use of affected release lines in security-conscious environments.
Sources
Dev Signal
Get briefs like this in your inbox — free, every weekday.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.