nodejs · aduh95 · Mar 2, 2025 · Feb 15, 2025 · Feb 16, 2025 · Mar 2, 2025
diff --git a/doc/api/path.md b/doc/api/path.md
@@ -317,17 +317,29 @@ added: v0.11.2
 * `path` {string}
 * Returns: {boolean}
 
-The `path.isAbsolute()` method determines if `path` is an absolute path.
+The `path.isAbsolute()` method determines if the literal `path` is absolute.
+Therefore, it’s not safe for mitigating path traversals without normalizing it.
+
+```js
+// Normalizing the subpath mitigates traversing above the mount directory
+const subpath = '/foo/../..'
+if (!path.isAbsolute(path.normalize(subpath))) {
+  throw 'FORBIDDEN'
+}
+const myPath = path.join(MOUNT_DIR, subpath)
+```
+
 
 If the given `path` is a zero-length string, `false` will be returned.
 
-For example, on POSIX:
+On POSIX:
 
 ```js
-path.isAbsolute('/foo/bar'); // true
-path.isAbsolute('/baz/..');  // true
-path.isAbsolute('qux/');     // false
-path.isAbsolute('.');        // false
+path.isAbsolute('/foo/bar');   // true
+path.isAbsolute('/baz/..');    // true
+path.isAbsolute('/baz/../..'); // true
+path.isAbsolute('qux/');       // false
+path.isAbsolute('.');          // false
 ```
 
 On Windows: