CVE-2025-55132 LOW

CVE-2025-55132

Vendor Nodejs
Product node
Published January 20, 2026
Last update January 21, 2026

CVSS base score

2.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Key dates

02Disclosure timeline

January 20, 2026 CVE published
January 21, 2026 Record updated