CVE-2025-55132

NameCVE-2025-55132
DescriptionA flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nodejs (PTS)bullseye12.22.12~dfsg-1~deb11u4vulnerable
bullseye (security)12.22.12~dfsg-1~deb11u7vulnerable
bookworm, bookworm (security)18.20.4+dfsg-1~deb12u1vulnerable
trixie20.19.2+dfsg-1vulnerable
forky, sid22.22.0+dfsg+~cs22.19.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nodejssource(unstable)22.22.0+dfsg+~cs22.19.6-1

Notes

https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#fsfutimes-bypasses-read-only-permission-model-cve-2025-55132---low
Search for package or bug name: Reporting problems