CVE-2025-55130 is a vulnerability in the Node.js runtime's permission model affecting versions 20.19.6, 22.21.1, 24.12.0, and 25.2.1. Node.js introduced a permission model that restricts file system access via flags like `--allow-fs-read` and `--allow-fs-write`, intended to limit scripts to specific directories. However, this vulnerability allows attackers to bypass these restrictions by exploiting the way Node.js resolves relative symbolic links (symlinks). By crafting a chain of directories and symlinks, an attacker can escape the intended directory confinement and gain unauthorized read and write access to arbitrary files outside the allowed paths. This breaks the isolation guarantees expected from the permission model, potentially leading to disclosure of sensitive information and unauthorized modification of critical files. The vulnerability requires the attacker to have at least limited privileges on the system (local access with some permissions) but does not require user interaction. The CVSS v3.0 score is 7.1, reflecting high impact on confidentiality and integrity, with low attack complexity and privileges required. No public exploits or patches are currently available, but the flaw is documented and published as of January 2026. The underlying weakness relates to improper access control (CWE-289) in the permission enforcement mechanism of Node.js. This vulnerability is particularly relevant for environments that rely on Node.js sandboxing to enforce security boundaries, such as multi-tenant platforms, serverless functions, or development environments with restricted file access.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of data and systems running Node.js applications with permission restrictions enabled. Attackers with limited local access could escalate their privileges by reading or modifying sensitive configuration files, credentials, or source code, potentially leading to full system compromise or lateral movement within networks. Organizations in sectors such as finance, healthcare, and critical infrastructure that use Node.js for backend services or automation scripts are particularly vulnerable. The breach of file system isolation undermines trust in Node.js sandboxing, increasing the attack surface for insider threats or compromised accounts. Additionally, the lack of patches at present means organizations must rely on mitigations until updates are released, increasing exposure time. The impact on availability is low, but the high impact on confidentiality and integrity can lead to regulatory compliance issues under GDPR and other European data protection laws, resulting in legal and financial consequences.

1. Immediately audit and restrict local user access to systems running affected Node.js versions to minimize risk of local exploitation. 2. Avoid running untrusted or semi-trusted scripts with Node.js permission flags `--allow-fs-read` and `--allow-fs-write` enabled until patches are available. 3. Implement strict filesystem monitoring to detect unusual symlink creations or directory traversal attempts that could indicate exploitation attempts. 4. Use containerization or virtualization to isolate Node.js processes further, limiting potential damage from permission bypass. 5. Track Node.js security advisories closely and prepare to apply patches promptly once released. 6. Review and harden file system permissions on critical files and directories to reduce impact if unauthorized access occurs. 7. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous file access patterns. 8. Educate developers and system administrators about the risks of symlink attacks and the importance of secure coding and deployment practices in Node.js environments.