Cyber Resilience

CVE-2025-55130

CriticalUpdated

Published: 20 January 2026

Published
20 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0049 38.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-55130 is a critical-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Nodejs Node.Js. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-55130 is a vulnerability in Node.js's Permissions model that enables attackers to bypass the `--allow-fs-read` and `--allow-fs-write` restrictions through crafted relative symlink paths. By chaining directories and symlinks, a script permitted access only to the current directory can escape its allowed path, read sensitive files elsewhere, and perform arbitrary file read/write operations. This flaw undermines the isolation guarantees of the permission model and can lead to system compromise. It affects users of the permission model in Node.js versions v20, v22, v24, and v25, with a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-289.

The vulnerability can be exploited by any unauthenticated attacker (PR:N) over the network (AV:N) with low complexity (AC:L), provided they can execute a malicious Node.js script in an environment using the permission model. Exploitation grants high-impact confidentiality (C:H) and integrity (I:H) violations through arbitrary file read/write capabilities outside the intended scope, though it has no direct availability impact (A:N). Successful attacks break expected sandboxing, potentially allowing access to sensitive system files and full compromise of the host.

For mitigation details, refer to the Node.js security advisory at https://nodejs.org/en/blog/vulnerability/december-2025-security-releases, which covers patches and remediation steps for affected versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read…

more

sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Bypass of Node.js FS permission sandbox directly enables remote exploitation of exposed apps (T1190) and arbitrary local file/directory access (T1005/T1083).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21636Same product: Nodejs Node.Js
CVE-2026-21637Same product: Nodejs Node.Js
CVE-2025-59464Same product: Nodejs Node.Js
CVE-2025-59466Same product: Nodejs Node.Js
CVE-2026-1525Same vendor: Nodejs
CVE-2026-2229Same vendor: Nodejs
CVE-2026-1528Same vendor: Nodejs
CVE-2026-1526Same vendor: Nodejs
CVE-2026-22036Same vendor: Nodejs
CVE-2024-56511Shared CWE-289

Affected Assets

nodejs
node.js
20.0.0 — 20.20.0 · 22.0.0 — 22.22.0 · 24.0.0 — 24.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and correction of the specific flaw in Node.js permission model, enabling patching to prevent symlink-based bypass of FS restrictions.

prevent

Mandates a reference monitor mechanism to correctly enforce access control policies, directly mitigating the permission model's failure to block crafted relative symlink paths.

prevent

Enforces approved authorizations for logical access to file system resources, preventing escape from sandboxed directories via symlink traversal.

References