CVE-2025-55130
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-02-03
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nodejs | node.js | From 20.0.0 (inc) to 20.20.0 (exc) |
| nodejs | node.js | From 22.0.0 (inc) to 22.22.0 (exc) |
| nodejs | node.js | From 24.0.0 (inc) to 24.13.0 (exc) |
| nodejs | node.js | From 25.0.0 (inc) to 25.3.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-289 | The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Node.js's permission model allows attackers to bypass the `--allow-fs-read` and `--allow-fs-write` restrictions by using specially crafted relative symbolic link (symlink) paths. By chaining directories and symlinks, a script that should only have access to the current directory can escape this limitation and read or write arbitrary sensitive files outside the allowed path, breaking the expected isolation guarantees. [1]
How can this vulnerability impact me? :
The vulnerability can lead to arbitrary file read and write operations outside the intended restricted directory. This can result in unauthorized access to sensitive files and potentially compromise the entire system where the vulnerable Node.js version is running. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Node.js to a version where the issue is fixed. The vulnerability affects Node.js versions 20.x, 22.x, 24.x, and 25.x, and has been fixed by RafaelGSS. Applying the latest security releases from Node.js that address CVE-2025-55130 will prevent attackers from bypassing the permission model restrictions. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to bypass file system access restrictions and read or write arbitrary sensitive files outside the intended scope. Such unauthorized access to sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to potential data breaches and loss of data confidentiality. [1]