PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-55130 Nodejs CVE debrief

CVE-2025-55130 is a critical vulnerability in Node.js's Permissions model. This flaw allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. The vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Vendor
Nodejs
Product
Node.js
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-20
Original CVE updated
2026-06-30
Advisory published
2026-01-20
Advisory updated
2026-06-30

Who should care

Users of Node.js v20, v22, v24, and v25 who utilize the permission model are at risk. This includes developers and administrators who have applied the `--allow-fs-read` and `--allow-fs-write` restrictions to limit access. Given the critical severity and potential for system compromise, immediate attention is required to assess and mitigate this vulnerability.

Technical summary

The vulnerability arises from the Permissions model's inability to properly restrict access when using relative symlink paths. An attacker can exploit this by creating a chain of directories and symlinks that allow a script, which is only granted access to the current directory, to read and write files outside the intended scope. This bypasses the `--allow-fs-read` and `--allow-fs-write` restrictions, potentially leading to arbitrary file access and modification.

Defensive priority

High. Given the critical CVSS score of 9.1 and the potential for system compromise, defenders should prioritize patching or mitigating this vulnerability immediately.

Recommended defensive actions

  • Apply patches or updates provided by Node.js for versions v20, v22, v24, and v25.
  • Review and restrict the use of `--allow-fs-read` and `--allow-fs-write` flags until patches are applied.
  • Monitor systems for suspicious activity that could indicate exploitation attempts.
  • Implement compensating controls, such as additional monitoring or access restrictions, if patches cannot be applied immediately.
  • Inventory Node.js installations to identify and prioritize vulnerable systems.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability, including its description, affected versions, and CVSS score. Vendor advisories and errata from Red Hat also offer insights into the mitigation and patching process.

Official resources

This article is AI-assisted and based on the supplied source corpus.