9.1

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NodejsNode.Js SwEdition- Version >= 20.0.0 < 20.20.0
NodejsNode.Js SwEdition- Version >= 22.0.0 < 22.22.0
NodejsNode.Js SwEdition- Version >= 24.0.0 < 24.13.0
NodejsNode.Js SwEdition- Version >= 25.0.0 < 25.3.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.63% 0.733
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.1 1.8 5.2
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
support@hackerone.com 7.1 1.8 5.2
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CWE-289 Authentication Bypass by Alternate Name

The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Vendor Advisory
Release Notes
https://access.redhat.com/errata/RHSA-2026:1842
https://access.redhat.com/errata/RHSA-2026:1843
https://access.redhat.com/errata/RHSA-2026:2420
https://access.redhat.com/errata/RHSA-2026:2421
https://access.redhat.com/errata/RHSA-2026:2422
https://access.redhat.com/errata/RHSA-2026:2767
https://access.redhat.com/errata/RHSA-2026:2768
https://access.redhat.com/errata/RHSA-2026:2781
https://access.redhat.com/errata/RHSA-2026:2782
https://access.redhat.com/errata/RHSA-2026:2783
https://access.redhat.com/errata/RHSA-2026:2864
https://access.redhat.com/errata/RHSA-2026:2899
https://access.redhat.com/errata/RHSA-2026:6402
https://access.redhat.com/errata/RHSA-2026:6431
https://access.redhat.com/errata/RHSA-2026:7386
https://access.redhat.com/errata/RHSA-2026:7387
https://access.redhat.com/security/cve/CVE-2025-55130
https://bugzilla.redhat.com/show_bug.cgi?id=2431352
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55130.json