{ "threat_severity" : "Important", "public_date" : "2026-01-20T20:41:55Z", "bugzilla" : { "description" : "nodejs: Nodejs file permissions bypass", "id" : "2431352", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431352" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-281", "details" : [ "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise.\nThis vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.", "A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1842", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs24-1:24.13.0-1.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2026-02-05T00:00:00Z", "advisory" : "RHSA-2026:1843", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "nodejs22-1:22.22.0-3.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2899", "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0", "package" : "nodejs22-1:22.22.0-1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2420", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:24-8100020260116121421.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2421", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:22-8100020260119091831.6d880403" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2026-02-10T00:00:00Z", "advisory" : "RHSA-2026:2422", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:20-8100020260119100525.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2781", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:24-9070020260117213814.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2782", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:22-9070020260117213838.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2783", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs:20-9070020260117213748.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2768", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "nodejs:20-9040020260211171433.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-17T00:00:00Z", "advisory" : "RHSA-2026:2767", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:20-9060020260210180816.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support", "release_date" : "2026-02-18T00:00:00Z", "advisory" : "RHSA-2026:2864", "cpe" : "cpe:/a:redhat:rhel_eus:9.6", "package" : "nodejs:22-9060020260210120402.rhel9" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-01T00:00:00Z", "advisory" : "RHSA-2026:6402", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs24-main-24.14.1-4.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6431", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs25-main-25.9.0-1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7378", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs25-main-25.9.0-1.1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7386", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs20-main-20.20.0-7.1.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-10T00:00:00Z", "advisory" : "RHSA-2026:7387", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs22-main-22.22.0-1.3.hum1" }, { "product_name" : "Red Hat Hardened Images", "release_date" : "2026-04-11T00:00:00Z", "advisory" : "RHSA-2026:7657", "cpe" : "cpe:/a:redhat:hummingbird:1", "package" : "nodejs24-main-24.14.1-4.1.hum1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55130\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55130\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases" ], "name" : "CVE-2025-55130", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }