DEBIAN-CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

References

https://security-tracker.debian.org/tracker/CVE-2025-55130

Affected packages

Debian:13 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.19.2+dfsg-1+deb13u1

Affected versions

20.*

20.19.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-55130.json"

Debian:14 / nodejs

Package

Name: nodejs
Purl: pkg:deb/debian/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.0+dfsg+~cs22.19.6-1

Affected versions

20.*

20.19.2+dfsg-1

20.19.4+dfsg-1

20.19.5+dfsg+~cs20.19.12-1

20.19.5+dfsg+~cs20.19.12-2

20.19.5+dfsg+~cs20.19.12-3

20.19.5+dfsg+~cs20.19.12-4

20.19.5+dfsg+~cs20.19.24-1

22.*

22.12.0+dfsg-1

22.12.0+dfsg-2

22.12.0+dfsg-3

22.14.0+dfsg-1

22.18.0+dfsg-1

22.18.0+dfsg+~cs22.17.2-1

22.18.0+dfsg+~cs22.17.2-2

22.19.0+dfsg+~cs22.18.0-1

22.21.1+dfsg+~cs22.19.0-1

22.21.1+dfsg+~cs22.19.0-2

22.21.1+dfsg+~cs22.19.0-3

22.21.1+dfsg+~cs22.19.0-4

22.21.1+dfsg+~cs22.19.0-5

22.21.1+dfsg+~cs22.19.0-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-55130.json"