Windows Device Names Still Allow Path Traversal in UNC Paths After CVE-2025-27210 Fix

## Summary: I found that Windows device names (CON, PRN, AUX, etc.) can still be used for path traversal attacks when working with UNC network paths, even after the CVE-2025-27210 patch. So basically, the fix only covered regular paths but missed the UNC path scenario when using `path.join()` ## Description: I was testing the recent CVE-2025-27210 fix and noticed something . The patch works fine for regular paths - if I try `path.normalize('CON:../../secret.txt')`, it correctly returns `.\CON:..\..\secret.txt.` Great that's fixed But then I started testing UNC paths (you know, network paths like `\\server\share`) and found the vulnerability still exists there. The issue is that when you use `path.join()` with a UNC path and a device name, the device name gets stripped and the traversal happens Here's what I mean: ```javascript const path = require('path'); // This is fixed (regular path) console.log(path.normalize('CON:../../secret.txt')); // Output: .\CON:..\..\secret.txt ✓ // But this is still vulnerable (UNC path) console.log(path.join('\\\\server\\share\\uploads', 'CON:../../secret.txt')); // Output: \\server\share\secret.txt ✗ // Should be: \\server\share\uploads\.\CON:..\..\secret.txt ``` {F4574346} This happens because the normalize function inside `path.join()` handles UNC paths differently than regular paths ## Steps to Reproduce: 1. Use any Node.js version including the latest v24.4.1 (with CVE-2025-27210 fix) 2. Create a simple test file: ```javascript const path = require('path'); function getNetworkFile(userInput) { const basePath = '\\\\\\\\fileserver\\\\public\\\\uploads'; return path.join(basePath, userInput); } console.log(getNetworkFile('CON:../../../private/passwords.txt')); " ``` 3. Run the code 4. Expected result: `\\fileserver\public\uploads\.\CON:..\..\..\private\passwords.txt` 5. Actual result: `\\fileserver\public\private\passwords.txt` (escaped the uploads directory!) {F4574401} ## Why This is Different from CVE-2025-27210: So I know what you're thinking - "didn't we just fix this?" Well, kinda. CVE-2025-27210 fixed the issue for regular paths by adding the `.\` prefix when it detects device names. But that fix only applies to direct `normalize()` calls or regular local paths The difference: + CVE-2025-27210: Fixed `path.normalize('CON:../')` for local paths + This bug: UNC paths like `\\server\share` + device names still vulnerable when using `path.join()` It's essentially a bypass of the CVE-2025-27210 fix for network scenarios ## Mitigation: To fix this, you should apply the same device name validation logic to UNC paths in the `path.join()` function. Specifically, when joining paths that start with `\\,` the code needs to check for device names and add the `.\` prefix just like it does for regular paths The fix probably needs to go in the normalize function's UNC path handling section, around where it processes paths starting with `\\.` ## Impact An attacker could read files outside the intended directory on Windows network shares : + File sharing applications (escape to other users' folders) + Cloud storage systems using UNC paths + Corporate network shares (access sensitive documents) + Any Node.js app that serves files from network locations Also, this could lead to lateral movement in corporate networks - imagine escaping from `\\webapp\public` to `\\webapp\C$\Windows\System32\config` or even to other servers like `\\adminserver\C$`.