Fluid Attacks Database

Description

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
alpine v3.22	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| >=0 <22.22.0-r0	22.22.0-r0
debian 14	nodejs	=20.19.2+dfsg-1 \|\| =20.19.4+dfsg-1 \|\| =20.19.5+dfsg+~cs20.19.12-1 \|\| =20.19.5+dfsg+~cs20.19.12-2 \|\| =20.19.5+dfsg+~cs20.19.12-3 \|\| =20.19.5+dfsg+~cs20.19.12-4 \|\| =20.19.5+dfsg+~cs20.19.24-1 \|\| =22.12.0+dfsg-1 \|\| =22.12.0+dfsg-2 \|\| =22.12.0+dfsg-3 \|\| =22.14.0+dfsg-1 \|\| =22.18.0+dfsg+~cs22.17.2-1 \|\| =22.18.0+dfsg+~cs22.17.2-2 \|\| =22.18.0+dfsg-1 \|\| =22.19.0+dfsg+~cs22.18.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-1 \|\| =22.21.1+dfsg+~cs22.19.0-2 \|\| =22.21.1+dfsg+~cs22.19.0-3 \|\| =22.21.1+dfsg+~cs22.19.0-4 \|\| =22.21.1+dfsg+~cs22.19.0-5 \|\| =22.21.1+dfsg+~cs22.19.0-6 \|\| >=0 <22.22.0+dfsg+~cs22.19.6-1	22.22.0+dfsg+~cs22.19.6-1
alpine v3.23	nodejs	=22.11.0-r0 \|\| =22.11.0-r1 \|\| =22.11.0-r2 \|\| =22.13.1-r0 \|\| =22.13.1-r1 \|\| =22.13.1-r2 \|\| =22.13.1-r3 \|\| =22.13.1-r4 \|\| =22.13.1-r5 \|\| =22.16.0-r0 \|\| =22.16.0-r1 \|\| =22.16.0-r2 \|\| =22.16.0-r3 \|\| =22.19.0-r3 \|\| =22.19.0-r4 \|\| =22.21.0-r0 \|\| =24.11.1-r0 \|\| >=0 <24.13.0-r0	24.13.0-r0
debian 13	nodejs	=20.19.2+dfsg-1 \|\| >=0 <20.19.2+dfsg-1+deb13u1	20.19.2+dfsg-1+deb13u1
rpm rhel8	nodejs	<1:20.20.0-1.module+el8.10.0+23905+c49b2aec	1:20.20.0-1.module+el8.10.0+23905+c49b2aec
rpm rhel9	nodejs	<1:20.20.0-1.module+el9.7.0+23895+0637d423	1:20.20.0-1.module+el9.7.0+23895+0637d423
rpm rhel9.4	nodejs	<1:20.20.0-1.module+el9.4.0+23992+5dc31998	1:20.20.0-1.module+el9.4.0+23992+5dc31998
rpm rhel9.6	nodejs	<1:20.20.0-1.module+el9.6.0+23988+6b9eae47	1:20.20.0-1.module+el9.6.0+23988+6b9eae47
rpm rhel10	nodejs22	<1:22.22.0-3.el10_1	1:22.22.0-3.el10_1
rpm rhel10.0	nodejs22	<1:22.22.0-1.el10_0	1:22.22.0-1.el10_0

1-10 of 12

Aliases

1. CVE-2025-551302. NVD-2025-551303. OSV-ALPINE-2025-551304. OSV-2025-551305. OSV-DEBIAN-2025-551306. SECURITY-CVE-2025-551307. SECURITY-TRACKER-CVE-2025-55130

References

1. https://github.com/scumfrog/CVE-2025-55130

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.