Path validation vulnerability, September 2017

Michael Dawson

Path Validation Vulnerability (Updated 29-September-2017 - CVE assigned)

The Node.js project released a new version of 8.x this week which incorporates a security fix.


Version 8.5.0 of Node.js is vulnerable. 4.x and 6.x versions are NOT vulnerable.


Node.js 8 (Current)

Node.js-specific security flaws

Node.js version 8.5.0 included a change which caused a security vulnerability in the checks on paths made by some community modules. As a result, an attacker may be able to access file system paths other than those intended.

This problem was resolved within Node.js by partially reverting

A CVE has been assigned as CVE-2017-14849

Contact and future updates

The current Node.js security policy can be found at

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

Last Updated
Sep 29, 2017
Reading Time
1 min read
Edit this page
Table of Contents
  1. Impact
  3. Node.js-specific security flaws
  4. Contact and future updates