Node.js 20/22/24/25 Permission Model Bypass via Symlink CVE-2025-55130
CVE-2025-55130 Published on January 20, 2026
A flaw in Node.jss Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
Weakness Type
Authentication Bypass by Alternate Name
The software performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.
Affected Versions
nodejs node:- Version 20.19.6, <= 20.19.6 is affected.
- Version 22.21.1, <= 22.21.1 is affected.
- Version 24.12.0, <= 24.12.0 is affected.
- Version 25.2.1, <= 25.2.1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.