CVE-2025-55130

Summary

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Affected Software

VendorProductVersion RangeStatus
nodejsnode20.19.6 <= 20.19.6affected
nodejsnode22.21.1 <= 22.21.1affected
nodejsnode24.12.0 <= 24.12.0affected
nodejsnode25.2.1 <= 25.2.1affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

nodejs: Nodejs file permissions bypass

Additional References

References