CVE-2025-55130

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-55130
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-55130.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-55130
Aliases
Downstream
Related
Published
2026-01-20T20:41:55.393Z
Modified
2026-06-18T03:56:47.569818692Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Database specific 
{
    "cna_assigner": "hackerone",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "20.19.6"
                },
                {
                    "last_affected": "22.21.1"
                },
                {
                    "last_affected": "24.12.0"
                },
                {
                    "last_affected": "25.2.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55130.json"
}
References

Affected packages

Git / github.com/nodejs/node

Affected ranges

Type
GIT
Repo
https://github.com/nodejs/node
Events
Introduced
e7618fb5a5fc25d76b6474e2a6607f04fd6f10e0
Fixed
1f7186e1e01d279022cab6acdecb119e472bb409
Introduced
12fb157f79da8c094a54bc99370994941c28c235
Fixed
6add85e4c46b8be383c8b637102d6b6fd206adce
Introduced
c5349f43cd66d2aa02d86414c9ed426f71d3ae48
Fixed
def0bdf8abee441cfcbf793a8dc24a6f3b899573
Introduced
0b3a10d4c8ba5e15429287e725d22615be896e95
Fixed
00d6cd83927d6d5c8fe9d0cdd101daa6df4b1a15
Database specific 
{
    "cpe": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "20.20.0"
        },
        {
            "introduced": "22.0.0"
        },
        {
            "fixed": "22.22.0"
        },
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "24.13.0"
        },
        {
            "introduced": "25.0.0"
        },
        {
            "fixed": "25.3.0"
        }
    ]
}

Affected versions

v20.*
v20.0.0
v20.1.0
v20.10.0
v20.11.0
v20.11.1
v20.12.0
v20.12.1
v20.12.2
v20.13.0
v20.13.1
v20.14.0
v20.15.0
v20.15.1
v20.16.0
v20.17.0
v20.18.0
v20.18.1
v20.18.2
v20.18.3
v20.19.0
v20.19.1
v20.19.2
v20.19.3
v20.19.4
v20.19.5
v20.19.6
v20.2.0
v20.3.0
v20.3.1
v20.4.0
v20.5.0
v20.5.1
v20.6.0
v20.6.1
v20.7.0
v20.8.0
v20.8.1
v20.9.0
v22.*
v22.0.0
v22.1.0
v22.10.0
v22.11.0
v22.12.0
v22.13.0
v22.13.1
v22.14.0
v22.15.0
v22.15.1
v22.16.0
v22.17.0
v22.17.1
v22.18.0
v22.19.0
v22.2.0
v22.20.0
v22.21.0
v22.21.1
v22.3.0
v22.4.0
v22.4.1
v22.5.0
v22.5.1
v22.6.0
v22.7.0
v22.8.0
v22.9.0
v24.*
v24.0.0
v24.0.1
v24.0.2
v24.1.0
v24.10.0
v24.11.0
v24.11.1
v24.12.0
v24.2.0
v24.3.0
v24.4.0
v24.4.1
v24.5.0
v24.6.0
v24.7.0
v24.8.0
v24.9.0
v25.*
v25.0.0
v25.1.0
v25.2.0
v25.2.1

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-55130.json"