CVE-2025-55130

Description

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Affected packages (4)

• Alpine/nodejsfrom 0, < 22.22.2-r0
• Bitnami/node>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• Bitnami/node-min>= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• Debian/nodejsfrom 0, < 20.19.2+dfsg-1+deb13u1

CVSS scores

References (4)

• ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2025-55130
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-55130
• WEBhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases
• WEBhttps://nvd.nist.gov/vuln/detail/CVE-2025-55130