CVE-2025-55130

CWE-289 CWE-2818 documents7 sources

Severity

9.1CRITICAL

EPSS

0.0%

top 97.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nodejs Node.js Nodejs Node

Timeline

PublishedJan 20

Description

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20,…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

▶NVDnodejs/node.js20.0.0 — 20.20.0+3

▶Alpinenodejs< 22.22.2-r0+2

▶Debiannodejs< 20.19.2+dfsg-1+deb13u1+1

▶CVEListV5nodejs/node20.19.6 — 20.19.6+3

🔴Vulnerability Details

OSV

CVE-2025-55130: A flaw in Node↗2026-01-20

▶

CVEList

CVE-2025-55130: A flaw in Node↗2026-01-20

▶

GHSA

GHSA-62wc-jj78-f4f6: A flaw in Node↗2026-01-20

▶

OSV

CVE-2025-55130: A flaw in Node↗2026-01-20

▶

📋Vendor Advisories

Red Hat

nodejs: Nodejs file permissions bypass↗2026-01-20

▶

Debian

CVE-2025-55130: nodejs - A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-rea...↗2025

▶

🕵️Threat Intelligence

Wiz

CVE-2025-55130 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶