#VU126387 Link following in Node.js - CVE-2025-55130
Published: April 17, 2026
Vulnerability identifier: #VU126387
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-55130
CWE-ID: CWE-59
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Node.js
Node.js
Software vendor:
Node.js Foundation
Node.js Foundation
Description
The vulnerability allows a local user to read or modify arbitrary files outside the intended allowed path.
The vulnerability exists due to improper access control in the permission model path restriction handling when processing crafted relative symlink paths. A local user can chain directories and symlinks to read or modify arbitrary files outside the intended allowed path.
The issue affects use of the permission model with --allow-fs-read or --allow-fs-write restrictions.
Remediation
Install security update from vendor's website.