External risk intelligence

Node.js Permissions Bypass Allows Arbitrary File Read Write.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2025-55130

This vulnerability exists within the Node.js runtime's internal permissions model and requires an attacker to execute a crafted script or manipulate file system paths locally. It is not an internet-facing service or network-accessible endpoint; exploitation relies on local execution context, making it very unlikely to be reachable via public internet exposure.

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Node.js's permissions system could allow unauthorized access to sensitive files, bypassing intended security controls. This issue affects specific versions of Node.js and, if exploited, could lead to broader system compromise by enabling arbitrary file reading and writing.

  • Flaw bypasses file access restrictions.
  • Confirms isolation security promises are broken.
  • Verify if this affects your Node.js environments.

Attack Path

How an attacker could exploit the issue

An attacker can bypass Node.js's file system access controls by crafting specific relative symbolic link paths. This allows a script that is only permitted to read or write within its own directory to escape those boundaries and access sensitive files elsewhere on the system, potentially leading to a full compromise.

  • Requires local script execution.
  • Triggers via crafted symlink paths.
  • Leads to arbitrary file read/write.

Live Threat

Current exploitation, exposure, and threat context

A flaw in Node.js's Permissions model could allow a script that is only supposed to access its own directory to read or write sensitive files outside of its intended scope. This occurs when attackers use carefully constructed paths involving symlinks to bypass the restrictions designed to limit file system access. This could break the intended isolation and potentially lead to unauthorized access to system or user data.

  • Sensitive files on the system.
  • Crafted symlinks to escape directory.
  • Arbitrary file read/write.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts Node.js applications using the Permissions model. Application owners and platform teams are likely responsible for identifying and remediating this risk. The first practical step is to locate all instances of the affected Node.js versions, assess their exposure and business criticality, and then plan remediation based on that assessment.

  • Application owners should own remediation.
  • Verify impacted applications and reachability.
  • Plan updates during the next maintenance window.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Node.js and why does it have a permissions model?

Node.js is a runtime environment that allows developers to run JavaScript code outside of a web browser, often used to build scalable server-side applications. The built-in permissions model is a security feature designed to restrict a script's access to system resources, such as specific directories or files. By using flags like --allow-fs-read, developers can create a sandbox that prevents scripts from accessing sensitive parts of the file system, helping to contain potential damage if a script is compromised.

How does CVE-2025-55130 bypass file access restrictions?

This vulnerability involves a weakness in how the Node.js permissions model processes symbolic links (symlinks). The bug, identified by CWE-289 and CWE-281, allows a malicious script to use crafted relative symlink paths to 'trick' the runtime. By chaining these links, the script can escape its intended directory boundaries, effectively neutralizing the isolation that the permissions model is supposed to provide and granting unauthorized read or write access to files elsewhere on the machine.

What triggers the vulnerability in the Node.js permissions model?

The flaw is triggered when a script, running with restricted permissions, is able to access or create specifically crafted symbolic links that point outside the allowed directory. It does not trigger if the application does not use the Node.js permissions model features, or if the environment does not allow the creation or use of symlinks. The exploit requires the ability to influence or provide a script that executes within the Node.js runtime environment.

Is this CVE a risk to my internet-facing services?

According to Halo Surface Signal, this vulnerability is very unlikely to be reachable via public internet exposure. Because the flaw exists within the local runtime's internal permissions logic, it requires an attacker to already have a way to execute a script or manipulate file system paths locally on the host. It is not an internet-accessible network service, meaning the risk is primarily tied to the local execution environment rather than direct external network probing.

What are the first steps to address this Node.js issue?

To address this, identify all systems currently running the affected versions of Node.js, which include branches v20, v22, v24, and v25. Once identified, evaluate which applications rely on the built-in permissions model for security. After prioritizing these environments based on their function and sensitivity, plan to update the Node.js runtime to a patched version as soon as possible during your next scheduled maintenance window.

References