CVE-2025-55130

Description

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

How to fix CVE-2025-55130

To remediate CVE-2025-55130, upgrade the affected package to a fixed version below.

• —upgrade to 22.22.2-r0 or later
• —upgrade to 20.20.0 or later
• —upgrade to 20.20.0 or later
• —upgrade to 20.19.2+dfsg-1+deb13u1 or later

Is CVE-2025-55130 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 22.22.2-r0
• >= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• >= 20.0.0, < 20.20.0, >= 21.0.0, < 22.22.0, >= 23.0.0, < 24.13.0, >= 25.0.0, < 25.3.0
• from 0, < 20.19.2+dfsg-1+deb13u1

CVSS scores

References (4)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2025-55130
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-55130
• WEBnodejs.org/en/blog/vulnerability/december-2025-security-releases
• WEBnvd.nist.gov/vuln/detail/CVE-2025-55130