CVE-2025-55130 is a vulnerability in the Node.js runtime's Permissions model affecting versions 20.19.6, 22.21.1, 24.12.0, and 25.2.1. Node.js introduced a permission system that restricts filesystem access using flags such as `--allow-fs-read` and `--allow-fs-write`, which are intended to confine scripts to specific directories or files. However, this vulnerability allows an attacker to bypass these restrictions by leveraging crafted relative symbolic link (symlink) paths. By chaining multiple directories and symlinks, a script granted access only to the current directory can traverse outside the allowed path boundaries. This traversal enables arbitrary file read and write operations beyond the intended scope, violating the principle of least privilege and breaking isolation guarantees. The flaw is rooted in improper validation of symlink resolution within the permission checks, categorized under CWE-289 (Improper Authentication). Exploitation requires the attacker to have limited privileges on the system and to execute Node.js scripts with the permission flags enabled. No user interaction is necessary, and the attack vector is local. The CVSS v3.0 base score is 7.1, reflecting high severity due to high confidentiality and integrity impact, low attack complexity, and limited privileges required. Although no public exploits are known, the vulnerability could be leveraged to access sensitive configuration files, credentials, or modify critical files, potentially leading to privilege escalation or system compromise. The issue affects a broad range of Node.js versions currently in active use, making it relevant for many development and production environments.

The vulnerability can have severe consequences for organizations using Node.js with the permission model enabled. Attackers with limited local access can bypass filesystem restrictions, leading to unauthorized disclosure of sensitive data such as credentials, configuration files, or proprietary code. The ability to write arbitrary files may allow attackers to implant malicious code, modify application behavior, or escalate privileges. This undermines the security assumptions of sandboxed or permission-restricted Node.js environments, increasing the risk of lateral movement and persistent compromise. Enterprises relying on Node.js for backend services, serverless functions, or development tooling are at risk, especially if they use the permission flags to enforce strict filesystem access controls. The breach of isolation can also affect containerized or multi-tenant environments where Node.js scripts run with constrained permissions. Although exploitation requires local access, the widespread adoption of Node.js and its use in cloud and on-premises infrastructure amplifies the potential impact globally.

1. Immediately update Node.js to a patched version once available from the official Node.js project, as no patch links are currently provided but should be prioritized. 2. Until patches are released, avoid using the `--allow-fs-read` and `--allow-fs-write` permission flags in untrusted or semi-trusted environments. 3. Implement strict access controls at the operating system level to limit who can execute Node.js scripts with elevated permissions. 4. Monitor filesystem access patterns and audit logs for unusual symlink traversals or unexpected file reads/writes. 5. Use containerization or sandboxing technologies to isolate Node.js processes further, reducing the impact of potential escapes. 6. Review and harden symbolic link handling policies in deployment environments to prevent crafted symlink chains. 7. Educate developers and DevOps teams about the risks of relying solely on Node.js permission flags for security and encourage defense-in-depth strategies. 8. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect anomalous file access behaviors. 9. Conduct regular security assessments and penetration testing focusing on filesystem permission bypass scenarios in Node.js applications.