CVE-2025-55130 is a vulnerability in the Node.js runtime's permission model that allows attackers to bypass the --allow-fs-read and --allow-fs-write restrictions. Node.js introduced a permission model to restrict file system access for scripts, typically limiting read and write operations to specific directories. However, this vulnerability arises because the permission checks do not correctly handle crafted relative symbolic link (symlink) paths. By chaining multiple directories and symlinks, an attacker can escape the intended sandbox directory and access files outside the allowed scope. This flaw breaks the isolation guarantees expected from the permission model, enabling arbitrary file read and write operations. The vulnerability affects Node.js versions 20.19.6, 22.21.1, 24.12.0, and 25.2.1. The attack complexity is low, requiring only local privileges and no user interaction, but it does require the attacker to have some level of code execution within the Node.js environment with restricted permissions. The impact includes high confidentiality and integrity loss, as sensitive files can be read or modified, potentially leading to system compromise or data leakage. No patches or known exploits are currently documented, but the vulnerability is publicly disclosed and assigned a CVSS v3.0 score of 7.1, indicating high severity. The flaw is particularly critical for environments running untrusted or semi-trusted code with Node.js permission restrictions enabled, such as multi-tenant cloud platforms, development environments, or containerized applications.

For European organizations, this vulnerability poses a significant risk to confidentiality and integrity of sensitive data and systems. Organizations relying on Node.js for backend services, especially those using the permission model to sandbox scripts, could see unauthorized access to critical files, including configuration files, credentials, or proprietary data. This could lead to data breaches, unauthorized data modification, or further system compromise. The vulnerability is particularly concerning for cloud service providers, software development companies, and enterprises using Node.js in multi-tenant or containerized environments common in Europe. The ability to bypass file system restrictions undermines trust in Node.js sandboxing, potentially exposing regulated data subject to GDPR and other compliance requirements. Although exploitation requires local privileges, the ease of bypassing restrictions means that any compromised or malicious code running under Node.js could escalate its access, increasing the attack surface. This could also facilitate lateral movement within networks, impacting operational continuity and data security.

1. Monitor Node.js official channels for patches addressing CVE-2025-55130 and apply updates promptly once available. 2. Until patches are released, avoid running untrusted or semi-trusted code with Node.js permission model restrictions enabled. 3. Implement strict code review and validation processes to prevent malicious or vulnerable scripts from executing in Node.js environments. 4. Restrict the use of symbolic links in directories accessible to Node.js scripts, or audit symlink usage to detect suspicious chaining. 5. Employ runtime monitoring and file integrity checking to detect unauthorized file access or modifications. 6. Use containerization or sandboxing at the OS level to add an additional layer of isolation beyond Node.js permissions. 7. Limit local user privileges to reduce the risk of local code execution that could exploit this vulnerability. 8. Educate developers and system administrators about the risks of symlink traversal and the importance of secure permission configurations in Node.js.