CVE-2025-55130
📋 TL;DR
A Node.js permissions model vulnerability allows attackers to bypass file system access restrictions using crafted relative symlink paths. This enables arbitrary file read/write operations, potentially leading to system compromise. Affects Node.js v20, v22, v24, and v25 users who rely on the permission model for security isolation.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file read/write, credential theft, privilege escalation, and lateral movement across the environment.
Likely Case
Unauthorized access to sensitive files (configurations, credentials, databases) within the same user context, leading to data breaches and application compromise.
If Mitigated
Limited impact if proper network segmentation, minimal privileges, and additional security controls are in place, though file system isolation is still broken.
🎯 Exploit Status
Exploitation requires the ability to execute Node.js scripts with permission flags. Attack complexity is low once an attacker has script execution capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v20.18.1, v22.12.1, v24.11.1, v25.10.1
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Restart Required: Yes
Instructions:
1. Identify Node.js version currently installed. 2. Update to the patched version using your package manager (npm, apt, yum, etc.). 3. Restart all Node.js applications and services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Permission Model
allRemove --allow-fs-read and --allow-fs-write flags from Node.js execution, though this reduces security isolation.
Remove --allow-fs-read and --allow-fs-write flags from startup scripts and configurations
Restrict Script Execution
allLimit execution of Node.js scripts to trusted sources only through application allowlisting.
🧯 If You Can't Patch
- Implement strict file system permissions and access controls to limit potential damage from file system escapes.
- Isolate Node.js applications in containers or VMs with minimal host access to contain breaches.
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is v20.x (<20.18.1), v22.x (<22.12.1), v24.x (<24.11.1), or v25.x (<25.10.1) and if --allow-fs-read or --allow-fs-write flags are used.Check Version:
node --versionVerify Fix Applied:
Verify Node.js version is v20.18.1+, v22.12.1+, v24.11.1+, or v25.10.1+ and test that symlink-based path traversal is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Node.js processes, especially attempts to access files outside allowed directories.
- Multiple symlink creation or traversal events in system logs.
Network Indicators:
- None specific to this vulnerability as it's local file system exploitation.
SIEM Query:
Process execution logs where Node.js is launched with --allow-fs-read or --allow-fs-write flags, combined with file access alerts to sensitive paths.