Intel

AIKIDO-2026-10029

node is vulnerable to Path Traversal

Path TraversalCVE-2025-55130 Published Jan 14, 2026

85

High Risk

This Affects:

OSnode
0.0.1 - 20.19.6
Fixed in 20.20.0
21.0.0 - 22.21.1
Fixed in 22.22.0
23.0.0 - 24.12.0
Fixed in 24.13.0
25.0.0 - 25.2.0
Fixed in 25.3.0
Are you affected? Scan for Free

TL;DR

Affected versions of the package allow a permissions bypass in the Node.js Permissions model, where crafted relative symlink paths can circumvent --allow-fs-read and --allow-fs-write restrictions. By chaining directories and symlinks, a script limited to the current directory can escape the permitted path and perform arbitrary file read or write operations, breaking isolation guarantees and potentially leading to system compromise.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

node is vulnerable to Path Traversal in versions 25.0.0 - 25.2.0, 23.0.0 - 24.12.0, 21.0.0 - 22.21.1 and 0.0.1 - 20.19.6.

How to fix this

Upgrade the node library to a patch version.

Links

nodejs.org/en/blog/vulnerability/december-2025-security-releases#bypass-file-system-permissions-using-crafted-symlinks-cve-2025-55130---high
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#bypass-file-system-permissions-using-crafted-symlinks-cve-2025-55130---high
nodejs.org/en/blog/vulnerability/december-2025-security-releases
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
access.redhat.com/errata/RHSA-2026:1842
https://access.redhat.com/errata/RHSA-2026:1842
access.redhat.com/errata/RHSA-2026:1843
https://access.redhat.com/errata/RHSA-2026:1843
access.redhat.com/errata/RHSA-2026:2420
https://access.redhat.com/errata/RHSA-2026:2420
access.redhat.com/errata/RHSA-2026:2421
https://access.redhat.com/errata/RHSA-2026:2421
access.redhat.com/errata/RHSA-2026:2422
https://access.redhat.com/errata/RHSA-2026:2422
access.redhat.com/errata/RHSA-2026:2767
https://access.redhat.com/errata/RHSA-2026:2767
access.redhat.com/errata/RHSA-2026:2768
https://access.redhat.com/errata/RHSA-2026:2768
access.redhat.com/errata/RHSA-2026:2781
https://access.redhat.com/errata/RHSA-2026:2781
access.redhat.com/errata/RHSA-2026:2782
https://access.redhat.com/errata/RHSA-2026:2782
access.redhat.com/errata/RHSA-2026:2783
https://access.redhat.com/errata/RHSA-2026:2783
access.redhat.com/errata/RHSA-2026:2864
https://access.redhat.com/errata/RHSA-2026:2864
access.redhat.com/errata/RHSA-2026:2899
https://access.redhat.com/errata/RHSA-2026:2899
access.redhat.com/errata/RHSA-2026:6402
https://access.redhat.com/errata/RHSA-2026:6402
access.redhat.com/errata/RHSA-2026:6431
https://access.redhat.com/errata/RHSA-2026:6431
access.redhat.com/errata/RHSA-2026:7386
https://access.redhat.com/errata/RHSA-2026:7386
access.redhat.com/errata/RHSA-2026:7387
https://access.redhat.com/errata/RHSA-2026:7387
access.redhat.com/security/cve/CVE-2025-55130
https://access.redhat.com/security/cve/CVE-2025-55130
bugzilla.redhat.com/show_bug.cgi?id=2431352
https://bugzilla.redhat.com/show_bug.cgi?id=2431352
security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55130.json
https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-55130.json