[AUTO-CHERRYPICK] [AutoPR- Security] Patch nodejs for CVE-2025-55130 [HIGH] - branch 3.0-dev (#15703)

CBL-Mariner-Bot · azurelinux-security · jslobodzian · web-flow · commit 82d82f007e39 · 2026-02-03T21:46:43.000-05:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/nodejs/CVE-2025-55130.patch b/SPECS/nodejs/CVE-2025-55130.patch
@@ -0,0 +1,312 @@
+From b9f628994a4c17f42fa9fc96337db89ccaeef0f9 Mon Sep 17 00:00:00 2001
+From: RafaelGSS <rafael.nunu@hotmail.com>
+Date: Mon, 10 Nov 2025 19:27:51 -0300
+Subject: [PATCH] lib,permission: require full read and write to symlink APIs
+
+Refs: https://hackerone.com/reports/3417819
+PR-URL: https://github.com/nodejs-private/node-private/pull/760
+Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
+CVE-ID: CVE-2025-55130
+Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://github.com/nodejs/node/commit/494f62dc23.patch
+---
+ lib/fs.js                                     | 34 ++++++-------------
+ lib/internal/fs/promises.js                   | 20 +++--------
+ .../permission/fs-symlink-target-write.js     | 18 ++--------
+ test/fixtures/permission/fs-symlink.js        | 18 ++++++++--
+ .../test-permission-fs-symlink-relative.js    | 10 +++---
+ test/parallel/test-permission-fs-symlink.js   | 14 ++++++++
+ 6 files changed, 52 insertions(+), 62 deletions(-)
+
+diff --git a/lib/fs.js b/lib/fs.js
+index fd339900..85f8301a 100644
+--- a/lib/fs.js
++++ b/lib/fs.js
+@@ -59,7 +59,6 @@ const {
+ } = constants;
+ 
+ const pathModule = require('path');
+-const { isAbsolute } = pathModule;
+ const { isArrayBufferView } = require('internal/util/types');
+ 
+ const binding = internalBinding('fs');
+@@ -1736,18 +1735,12 @@ function symlink(target, path, type_, callback_) {
+   const type = (typeof type_ === 'string' ? type_ : null);
+   const callback = makeCallback(arguments[arguments.length - 1]);
+ 
+-  if (permission.isEnabled()) {
+-    // The permission model's security guarantees fall apart in the presence of
+-    // relative symbolic links. Thus, we have to prevent their creation.
+-    if (BufferIsBuffer(target)) {
+-      if (!isAbsolute(BufferToString(target))) {
+-        callback(new ERR_ACCESS_DENIED('relative symbolic link target'));
+-        return;
+-      }
+-    } else if (typeof target !== 'string' || !isAbsolute(toPathIfFileURL(target))) {
+-      callback(new ERR_ACCESS_DENIED('relative symbolic link target'));
+-      return;
+-    }
++  // Due to the nature of Node.js runtime, symlinks has different edge cases that can bypass
++  // the permission model security guarantees. Thus, this API is disabled unless fs.read
++  // and fs.write permission has been given.
++  if (permission.isEnabled() && !permission.has('fs')) {
++    callback(new ERR_ACCESS_DENIED('fs.symlink API requires full fs.read and fs.write permissions.'));
++    return;
+   }
+ 
+   target = getValidatedPath(target, 'target');
+@@ -1807,16 +1800,11 @@ function symlinkSync(target, path, type) {
+     }
+   }
+ 
+-  if (permission.isEnabled()) {
+-    // The permission model's security guarantees fall apart in the presence of
+-    // relative symbolic links. Thus, we have to prevent their creation.
+-    if (BufferIsBuffer(target)) {
+-      if (!isAbsolute(BufferToString(target))) {
+-        throw new ERR_ACCESS_DENIED('relative symbolic link target');
+-      }
+-    } else if (typeof target !== 'string' || !isAbsolute(toPathIfFileURL(target))) {
+-      throw new ERR_ACCESS_DENIED('relative symbolic link target');
+-    }
++  // Due to the nature of Node.js runtime, symlinks has different edge cases that can bypass
++  // the permission model security guarantees. Thus, this API is disabled unless fs.read
++  // and fs.write permission has been given.
++  if (permission.isEnabled() && !permission.has('fs')) {
++    throw new ERR_ACCESS_DENIED('fs.symlink API requires full fs.read and fs.write permissions.');
+   }
+ 
+   target = getValidatedPath(target, 'target');
+diff --git a/lib/internal/fs/promises.js b/lib/internal/fs/promises.js
+index 1544c34e..5584b2e3 100644
+--- a/lib/internal/fs/promises.js
++++ b/lib/internal/fs/promises.js
+@@ -18,7 +18,6 @@ const {
+   SymbolAsyncDispose,
+   Uint8Array,
+   FunctionPrototypeBind,
+-  uncurryThis,
+ } = primordials;
+ 
+ const { fs: constants } = internalBinding('constants');
+@@ -32,8 +31,6 @@ const {
+ 
+ const binding = internalBinding('fs');
+ const { Buffer } = require('buffer');
+-const { isBuffer: BufferIsBuffer } = Buffer;
+-const BufferToString = uncurryThis(Buffer.prototype.toString);
+ 
+ const {
+   codes: {
+@@ -89,8 +86,6 @@ const {
+   kValidateObjectAllowNullable,
+ } = require('internal/validators');
+ const pathModule = require('path');
+-const { isAbsolute } = pathModule;
+-const { toPathIfFileURL } = require('internal/url');
+ const {
+   kEmptyObject,
+   lazyDOMException,
+@@ -980,16 +975,11 @@ async function symlink(target, path, type_) {
+     }
+   }
+ 
+-  if (permission.isEnabled()) {
+-    // The permission model's security guarantees fall apart in the presence of
+-    // relative symbolic links. Thus, we have to prevent their creation.
+-    if (BufferIsBuffer(target)) {
+-      if (!isAbsolute(BufferToString(target))) {
+-        throw new ERR_ACCESS_DENIED('relative symbolic link target');
+-      }
+-    } else if (typeof target !== 'string' || !isAbsolute(toPathIfFileURL(target))) {
+-      throw new ERR_ACCESS_DENIED('relative symbolic link target');
+-    }
++  // Due to the nature of Node.js runtime, symlinks has different edge cases that can bypass
++  // the permission model security guarantees. Thus, this API is disabled unless fs.read
++  // and fs.write permission has been given.
++  if (permission.isEnabled() && !permission.has('fs')) {
++    throw new ERR_ACCESS_DENIED('fs.symlink API requires full fs.read and fs.write permissions.');
+   }
+ 
+   target = getValidatedPath(target, 'target');
+diff --git a/test/fixtures/permission/fs-symlink-target-write.js b/test/fixtures/permission/fs-symlink-target-write.js
+index c17d674d..6e07bfa8 100644
+--- a/test/fixtures/permission/fs-symlink-target-write.js
++++ b/test/fixtures/permission/fs-symlink-target-write.js
+@@ -26,8 +26,7 @@ const writeOnlyFolder = process.env.WRITEONLYFOLDER;
+     fs.symlinkSync(path.join(readOnlyFolder, 'file'), path.join(readWriteFolder, 'link-to-read-only'), 'file');
+   }, common.expectsError({
+     code: 'ERR_ACCESS_DENIED',
+-    permission: 'FileSystemWrite',
+-    resource: path.toNamespacedPath(path.join(readOnlyFolder, 'file')),
++    message: 'fs.symlink API requires full fs.read and fs.write permissions.',
+   }));
+   assert.throws(() => {
+     fs.linkSync(path.join(readOnlyFolder, 'file'), path.join(readWriteFolder, 'link-to-read-only'));
+@@ -37,18 +36,6 @@ const writeOnlyFolder = process.env.WRITEONLYFOLDER;
+     resource: path.toNamespacedPath(path.join(readOnlyFolder, 'file')),
+   }));
+ 
+-  // App will be able to symlink to a writeOnlyFolder
+-  fs.symlink(path.join(readWriteFolder, 'file'), path.join(writeOnlyFolder, 'link-to-read-write'), 'file', (err) => {
+-    assert.ifError(err);
+-    // App will won't be able to read the symlink
+-    fs.readFile(path.join(writeOnlyFolder, 'link-to-read-write'), common.expectsError({
+-      code: 'ERR_ACCESS_DENIED',
+-      permission: 'FileSystemRead',
+-    }));
+-
+-    // App will be able to write to the symlink
+-    fs.writeFile(path.join(writeOnlyFolder, 'link-to-read-write'), 'some content', common.mustSucceed());
+-  });
+   fs.link(path.join(readWriteFolder, 'file'), path.join(writeOnlyFolder, 'link-to-read-write2'), (err) => {
+     assert.ifError(err);
+     // App will won't be able to read the link
+@@ -66,8 +53,7 @@ const writeOnlyFolder = process.env.WRITEONLYFOLDER;
+     fs.symlinkSync(path.join(readWriteFolder, 'file'), path.join(readOnlyFolder, 'link-to-read-only'), 'file');
+   }, common.expectsError({
+     code: 'ERR_ACCESS_DENIED',
+-    permission: 'FileSystemWrite',
+-    resource: path.toNamespacedPath(path.join(readOnlyFolder, 'link-to-read-only')),
++    message: 'fs.symlink API requires full fs.read and fs.write permissions.',
+   }));
+   assert.throws(() => {
+     fs.linkSync(path.join(readWriteFolder, 'file'), path.join(readOnlyFolder, 'link-to-read-only'));
+diff --git a/test/fixtures/permission/fs-symlink.js b/test/fixtures/permission/fs-symlink.js
+index 4cf3b45f..ba60f781 100644
+--- a/test/fixtures/permission/fs-symlink.js
++++ b/test/fixtures/permission/fs-symlink.js
+@@ -54,7 +54,6 @@ const symlinkFromBlockedFile = process.env.EXISTINGSYMLINK;
+     fs.readFileSync(blockedFile);
+   }, common.expectsError({
+     code: 'ERR_ACCESS_DENIED',
+-    permission: 'FileSystemRead',
+   }));
+   assert.throws(() => {
+     fs.appendFileSync(blockedFile, 'data');
+@@ -68,7 +67,6 @@ const symlinkFromBlockedFile = process.env.EXISTINGSYMLINK;
+     fs.symlinkSync(regularFile, blockedFolder + '/asdf', 'file');
+   }, common.expectsError({
+     code: 'ERR_ACCESS_DENIED',
+-    permission: 'FileSystemWrite',
+   }));
+   assert.throws(() => {
+     fs.linkSync(regularFile, blockedFolder + '/asdf');
+@@ -82,7 +80,6 @@ const symlinkFromBlockedFile = process.env.EXISTINGSYMLINK;
+     fs.symlinkSync(blockedFile, path.join(__dirname, '/asdf'), 'file');
+   }, common.expectsError({
+     code: 'ERR_ACCESS_DENIED',
+-    permission: 'FileSystemRead',
+   }));
+   assert.throws(() => {
+     fs.linkSync(blockedFile, path.join(__dirname, '/asdf'));
+@@ -90,4 +87,19 @@ const symlinkFromBlockedFile = process.env.EXISTINGSYMLINK;
+     code: 'ERR_ACCESS_DENIED',
+     permission: 'FileSystemRead',
+   }));
++}
++
++// fs.symlink API is blocked by default
++{
++  assert.throws(() => {
++    fs.symlinkSync(regularFile, regularFile);
++  }, common.expectsError({
++    message: 'fs.symlink API requires full fs.read and fs.write permissions.',
++    code: 'ERR_ACCESS_DENIED',
++  }));
++
++  fs.symlink(regularFile, regularFile, common.expectsError({
++    message: 'fs.symlink API requires full fs.read and fs.write permissions.',
++    code: 'ERR_ACCESS_DENIED',
++  }));
+ }
+\ No newline at end of file
+diff --git a/test/parallel/test-permission-fs-symlink-relative.js b/test/parallel/test-permission-fs-symlink-relative.js
+index 4cc7d920..9080f16c 100644
+--- a/test/parallel/test-permission-fs-symlink-relative.js
++++ b/test/parallel/test-permission-fs-symlink-relative.js
+@@ -1,4 +1,4 @@
+-// Flags: --experimental-permission --allow-fs-read=* --allow-fs-write=*
++// Flags: --experimental-permission --allow-fs-read=*
+ 'use strict';
+ 
+ const common = require('../common');
+@@ -10,7 +10,7 @@ const { symlinkSync, symlink, promises: { symlink: symlinkAsync } } = require('f
+ 
+ const error = {
+   code: 'ERR_ACCESS_DENIED',
+-  message: /relative symbolic link target/,
++  message: /symlink API requires full fs\.read and fs\.write permissions/,
+ };
+ 
+ for (const targetString of ['a', './b/c', '../d', 'e/../f', 'C:drive-relative', 'ntfs:alternate']) {
+@@ -27,14 +27,14 @@ for (const targetString of ['a', './b/c', '../d', 'e/../f', 'C:drive-relative',
+   }
+ }
+ 
+-// Absolute should not throw
++// Absolute should throw too
+ for (const targetString of [path.resolve('.')]) {
+   for (const target of [targetString, Buffer.from(targetString)]) {
+     for (const path of [__filename]) {
+       symlink(target, path, common.mustCall((err) => {
+         assert(err);
+-        assert.strictEqual(err.code, 'EEXIST');
+-        assert.match(err.message, /file already exists/);
++        assert.strictEqual(err.code, error.code);
++        assert.match(err.message, error.message);
+       }));
+     }
+   }
+diff --git a/test/parallel/test-permission-fs-symlink.js b/test/parallel/test-permission-fs-symlink.js
+index c7d753c2..268a8ecb 100644
+--- a/test/parallel/test-permission-fs-symlink.js
++++ b/test/parallel/test-permission-fs-symlink.js
+@@ -21,15 +21,26 @@ const commonPathWildcard = path.join(__filename, '../../common*');
+ const blockedFile = fixtures.path('permission', 'deny', 'protected-file.md');
+ const blockedFolder = tmpdir.resolve('subdirectory');
+ const symlinkFromBlockedFile = tmpdir.resolve('example-symlink.md');
++const allowedFolder = tmpdir.resolve('allowed-folder');
++const traversalSymlink = path.join(allowedFolder, 'deep1', 'deep2', 'deep3', 'gotcha');
+ 
+ {
+   tmpdir.refresh();
+   fs.mkdirSync(blockedFolder);
++  // Create deep directory structure for path traversal test
++  fs.mkdirSync(allowedFolder);
++  fs.writeFileSync(path.resolve(allowedFolder, '../protected-file.md'), 'protected');
++  fs.mkdirSync(path.join(allowedFolder, 'deep1'));
++  fs.mkdirSync(path.join(allowedFolder, 'deep1', 'deep2'));
++  fs.mkdirSync(path.join(allowedFolder, 'deep1', 'deep2', 'deep3'));
+ }
+ 
+ {
+   // Symlink previously created
++  // fs.symlink API is allowed when full-read and full-write access
+   fs.symlinkSync(blockedFile, symlinkFromBlockedFile);
++  // Create symlink for path traversal test - symlink points to parent directory
++  fs.symlinkSync(allowedFolder, traversalSymlink);
+ }
+ 
+ {
+@@ -38,6 +49,7 @@ const symlinkFromBlockedFile = tmpdir.resolve('example-symlink.md');
+     [
+       '--experimental-permission',
+       `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, `--allow-fs-read=${symlinkFromBlockedFile}`,
++      `--allow-fs-read=${allowedFolder}`,
+       `--allow-fs-write=${symlinkFromBlockedFile}`,
+       file,
+     ],
+@@ -47,6 +59,8 @@ const symlinkFromBlockedFile = tmpdir.resolve('example-symlink.md');
+         BLOCKEDFOLDER: blockedFolder,
+         BLOCKEDFILE: blockedFile,
+         EXISTINGSYMLINK: symlinkFromBlockedFile,
++        TRAVERSALSYMLINK: traversalSymlink,
++        ALLOWEDFOLDER: allowedFolder,
+       },
+     }
+   );
+-- 
+2.45.4
+
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        12%{?dist}
+Release:        13%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,6 +35,7 @@ Patch16:        CVE-2025-55132.patch
 Patch17:        CVE-2025-59465.patch
 Patch18:        CVE-2025-59466.patch
 Patch19:        CVE-2026-21637.patch
+Patch20:        CVE-2025-55130.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -147,7 +148,10 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
-* Thr Jan 29 2026 Sandeep Karambelkar <skarambelkar@microsoft.com> - 20.14.0-12
+* Mon Feb 02 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20.14.0-13
+- Patch for CVE-2025-55130
+
+* Thu Jan 29 2026 Sandeep Karambelkar <skarambelkar@microsoft.com> - 20.14.0-12
 - Add nodejs provides to manage co existence with nodejs24
 
 * Wed Jan 28 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 20.14.0-11
