CVE-2025-55130
CriticalCVSS 9.1Exploitation Probability (EPSS)
Elevated risk73th percentile - higher than 73% of all known CVEs
Summary
A flaw in Node.js's Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files.
Risk Assessment
The risk is the breach of isolation guarantees provided by the permission model, potentially leading to unauthorized file read/write and system compromise.
Recommendation
Immediately update Node.js to a patched version (e.g., v20.x.y, v22.x.y, v24.x.y, v25.x.y with the fix) and restrict the use of the permission model in production environments until the update is applied.
Original NVD description (English source)
A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

