CVE-2025-55132 (GCVE-0-2025-55132)

Vulnerability from cvelistv5 – Published: 2026-01-20 20:41 – Updated: 2026-01-20 20:41
VLAI?
Summary
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
Severity ?
2.8 (Low)
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Assigner
References
Impacted products
Vendor Product Version
nodejs node Affected: 20.19.6 , ≤ 20.19.6 (semver)
Affected: 22.21.1 , ≤ 22.21.1 (semver)
Affected: 24.12.0 , ≤ 24.12.0 (semver)
Affected: 25.2.1 , ≤ 25.2.1 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "node",
          "vendor": "nodejs",
          "versions": [
            {
              "lessThanOrEqual": "20.19.6",
              "status": "affected",
              "version": "20.19.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "22.21.1",
              "status": "affected",
              "version": "22.21.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "24.12.0",
              "status": "affected",
              "version": "24.12.0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "25.2.1",
              "status": "affected",
              "version": "25.2.1",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 2.8,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.0"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-20T20:41:55.620Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2025-55132",
    "datePublished": "2026-01-20T20:41:55.620Z",
    "dateReserved": "2025-08-07T15:00:05.576Z",
    "dateUpdated": "2026-01-20T20:41:55.620Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-55132\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2026-01-20T21:16:03.430\",\"lastModified\":\"2026-01-20T21:16:03.430\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw in Node.js\u0027s permission model allows a file\u0027s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":2.8,\"baseSeverity\":\"LOW\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":1.4}]},\"references\":[{\"url\":\"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases\",\"source\":\"support@hackerone.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.