CVE-2025-55132

CWE-276Incorrect Default PermissionsCWE-2818 documents8 sources
Severity
5.3MEDIUM
EPSS
0.0%
top 98.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs Node.jsNodejs Node
Timeline
PublishedJan 20

Description

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

NVDnodejs/node.js20.0.020.20.0+3
Debiannodejs< 20.19.2+dfsg-1+deb13u1+1
CVEListV5nodejs/node20.19.620.19.6+3

🔴Vulnerability Details

3
OSV
CVE-2025-55132: A flaw in Node2026-01-20
GHSA
GHSA-pm9v-wcw9-xgpv: A flaw in Node2026-01-20
CVEList
CVE-2025-55132: A flaw in Node2026-01-20

📋Vendor Advisories

2
Red Hat
nodejs: Nodejs filesystem permissions bypass2026-01-20
Debian
CVE-2025-55132: nodejs - A flaw in Node.js's permission model allows a file's access and modification tim...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-55132 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2025-55132 nodejs: Nodejs filesystem permissions bypass2026-01-20
CVE-2025-55132 (MEDIUM CVSS 5.3) | A flaw in Node.js's permission mode | cvebase.io