CRITICAL🇵🇱 Wersja polska

CVE-2025-55130

CVSS 9.1v3.1pub. 2026-01-20upd. 2026-06-30

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Node.js

    APP
    Nodejs
    20.0.0 – 20.20.0 (bez)22.0.0 – 22.22.0 (bez)24.0.0 – 24.13.0 (bez)25.0.0 – 25.3.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-48930CRITICAL9.8PL ✓ten sam produkt

Node.js TLS: błąd obsługi hostname z null-bajtem prowadzi do przekierowania authority

CVE-2026-21636CRITICAL10.0PL ✓ten sam produkt

Node.js: obejście modelu uprawnień przez Unix Domain Socket

CVE-2024-3566CRITICAL9.8PL ✓ten sam produkt

Command injection w aplikacjach Windows korzystających z CreateProcess

CVE-2024-21896CRITICAL9.8PL ✓ten sam produkt

Path traversal w Permission Model Node.js przez monkey-patching Buffer

CVE-2023-39332CRITICAL9.8ten sam produkt

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects. In Node.js envir...