CVE Catalog

CVE-2025-55130

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.63%

73th percentile - higher than 73% of all known CVEs

Summary

A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files.

Risk Assessment

The risk is the breach of isolation guarantees provided by the permission model, potentially leading to unauthorized file read/write and system compromise.

Recommendation

Immediately update Node.js to a patched version (e.g., v20.x.y, v22.x.y, v24.x.y, v25.x.y with the fix) and restrict the use of the permission model in production environments until the update is applied.

Original NVD description (English source)

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS