Link following in Node.js - CVE-2025-55130
Published: April 17, 2026
Vulnerability identifier: #VU126387
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-55130
CWE-ID: CWE-59
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Node.js Foundation
Affected software:
Node.js
Node.js
Detailed vulnerability description
The vulnerability allows a local user to read or modify arbitrary files outside the intended allowed path.
The vulnerability exists due to improper access control in the permission model path restriction handling when processing crafted relative symlink paths. A local user can chain directories and symlinks to read or modify arbitrary files outside the intended allowed path.
The issue affects use of the permission model with --allow-fs-read or --allow-fs-write restrictions.
How to mitigate CVE-2025-55130
Install security update from vendor's website.