CVE-2025-55132

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Node.js versions 20 through 25

Description A flaw in Node.js’s permission model allows modification of a file’s access and modification timestamps using the futimes() function, even with read-only permissions. Unlike utimes(), futimes() bypasses standard write-permission checks, enabling metadata changes in read-only directories. This could potentially obscure activity and compromise log reliability. The vulnerable function is futimes().

Recommendations Update to a newer version that contains a fix for this vulnerability.

Fix

Improper Authorization

Incorrect Default Permissions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-276

Related Identifiers

ALSA-2026:1842

ALSA-2026:1843

ALSA-2026:2420

ALSA-2026:2421

ALSA-2026:2422

ALSA-2026:2781

ALSA-2026:2782

ALSA-2026:2783

AZL-74982

BDU:2026-00544

BIT-NODE-2025-55132

BIT-NODE-MIN-2025-55132

CVE-2025-55132

MGASA-2026-0009

OESA-2026-1218

OESA-2026-1219

OESA-2026-1220

OESA-2026-1221

OPENSUSE-SU-2026:10062-1

OPENSUSE-SU-2026:10074-1

OPENSUSE-SU-2026:20236-1

RHSA-2026:1842

RHSA-2026:1843

RHSA-2026:2420

RHSA-2026:2421

RHSA-2026:2422

RHSA-2026:2781

RHSA-2026:2782

RHSA-2026:2783

RHSA-2026:6402

RHSA-2026:6431

RHSA-2026:7378

RHSA-2026:7386

RHSA-2026:7387

RHSA-2026:7657

SUSE-SU-2026:0295-1

SUSE-SU-2026:0301-1

SUSE-SU-2026:0435-1

SUSE-SU-2026:0457-1

SUSE-SU-2026:20436-1

Affected Products

Node.Js

Red Os

Rocky Linux

CVE-2025-55132

Weakness Enumeration

Related Identifiers

Affected Products

References · 115