CVE-2025-55130

CRITICAL EPSS 38.4%

Published Jan 20, 20265mo ago · Modified Jun 17, 20261w ago

9.1 CVSS 3.1

Critical

Published Jan 20, 2026 5mo ago

Last Modified Jun 17, 2026 1w ago

Description

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

CVSS Details

Base Score

9.1

Exploitability

3.9

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

38.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-289

Affected Products 4

Vendor	Product	Version	Range
nodejs	node.js	*	≥20.0.0 – <20.20.0
nodejs	node.js	*	≥22.0.0 – <22.22.0
nodejs	node.js	*	≥24.0.0 – <24.13.0
nodejs	node.js	*	≥25.0.0 – <25.3.0

References 1

nodejs.org https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Release NotesVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.