CVE-2025-55132

Name	CVE-2025-55132
Description	A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-6166-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
nodejs (PTS)	bullseye	12.22.12~dfsg-1~deb11u4	fixed
	bullseye (security)	12.22.12~dfsg-1~deb11u7	fixed
	bookworm, bookworm (security)	18.20.4+dfsg-1~deb12u1	fixed
	trixie	20.19.2+dfsg-1	vulnerable
	trixie (security)	20.19.2+dfsg-1+deb13u2	fixed
	forky, sid	22.22.2+dfsg+~cs22.19.15-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
nodejs	source	bullseye	(not affected)
nodejs	source	bookworm	(not affected)
nodejs	source	trixie	20.19.2+dfsg-1+deb13u1	DSA-6166-1
nodejs	source	(unstable)	22.22.0+dfsg+~cs22.19.6-1

Notes

[bookworm] - nodejs <not-affected> (permission model feature added to nodejs v20)
[bullseye] - nodejs <not-affected> (permission model feature added to nodejs v20)
https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#fsfutimes-bypasses-read-only-permission-model-cve-2025-55132---low
Fixed by: https://github.com/nodejs/node/commit/14fbbb510c6d62b4510e3f48ee801807d9a5fbab (v20.20.0)
Permission model added by nodejs v20.0.0 (https://nodejs.org/en/blog/announcements/v20-release-announce)