CVE-2025-55130

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 3.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55130 is a critical-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Nodejs Node.Js. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of the specific flaw in Node.js permission model, enabling patching to prevent symlink-based bypass of FS restrictions.

AC-25 Reference Monitor good match

prevent

Mandates a reference monitor mechanism to correctly enforce access control policies, directly mitigating the permission model's failure to block crafted relative symlink paths.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for logical access to file system resources, preventing escape from sandboxed directories via symlink traversal.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

Bypass of Node.js FS permission sandbox directly enables remote exploitation of exposed apps (T1190) and arbitrary local file/directory access (T1005/T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read…

sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Deeper analysisAI

CVE-2025-55130 is a vulnerability in Node.js's Permissions model that enables attackers to bypass the `--allow-fs-read` and `--allow-fs-write` restrictions through crafted relative symlink paths. By chaining directories and symlinks, a script permitted access only to the current directory can escape its allowed path, read sensitive files elsewhere, and perform arbitrary file read/write operations. This flaw undermines the isolation guarantees of the permission model and can lead to system compromise. It affects users of the permission model in Node.js versions v20, v22, v24, and v25, with a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-289.

The vulnerability can be exploited by any unauthenticated attacker (PR:N) over the network (AV:N) with low complexity (AC:L), provided they can execute a malicious Node.js script in an environment using the permission model. Exploitation grants high-impact confidentiality (C:H) and integrity (I:H) violations through arbitrary file read/write capabilities outside the intended scope, though it has no direct availability impact (A:N). Successful attacks break expected sandboxing, potentially allowing access to sensitive system files and full compromise of the host.

For mitigation details, refer to the Node.js security advisory at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases, which covers patches and remediation steps for affected versions.

Details

CWE(s): CWE-289

Affected Products

nodejs

node.js

20.0.0 — 20.20.0 · 22.0.0 — 22.22.0 · 24.0.0 — 24.13.0

CVEs Like This One

CVE-2026-21637Same product: Nodejs Node.Js

CVE-2026-21636Same product: Nodejs Node.Js

CVE-2025-59464Same product: Nodejs Node.Js

CVE-2025-59466Same product: Nodejs Node.Js

CVE-2026-1525Same vendor: Nodejs

CVE-2026-1526Same vendor: Nodejs

CVE-2026-1528Same vendor: Nodejs

CVE-2026-2229Same vendor: Nodejs

CVE-2026-22036Same vendor: Nodejs

CVE-2024-56511Shared CWE-289

References

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Release Notes, Vendor Advisory · support@hackerone.com