CVE-2025-55130

Critical CVSS: 9.1

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Vendor

Nodejs

Product

Node.js

CWE

CWE-289

Yayın Tarihi

2026-01-20 21:16:03

Güncelleme

2026-02-03 21:29:50

Source Identifier

support@hackerone.com

KEV Date Added

Kategoriler

CWE-289 Node.js CRITICAL Nodejs 2026

Referanslar

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Benzer Kayıtlar

Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject…

High

CVE-2026-1528

ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's Byt…

High

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_m…

Medium

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulne…

High

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessa…

Medium

CVE-2026-1525

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Co…