2431352 – (CVE-2025-55130) CVE-2025-55130 nodejs: Nodejs file permissions bypass

Bug 2431352 (CVE-2025-55130) - CVE-2025-55130 nodejs: Nodejs file permissions bypass

Summary: CVE-2025-55130 nodejs: Nodejs file permissions bypass

Keywords:
Status:	NEW
Alias:	CVE-2025-55130
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431478 2431483 2431486 2431489 2431492 2431494 2431497
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-20 21:03 UTC by OSIDB Bzimport
Modified:	2026-01-21 01:14 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-20 21:03:29 UTC

A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.
This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.

Note You need to log in before you can comment on or make changes to this bug.