Home > Vulnerability Database > CVE-2025-55132

Mend.io Vulnerability Database

CVE-2025-55132

Good to know:

Date: January 20, 2026

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via "futimes()" even when the process has only read permissions. Unlike "utimes()", "futimes()" does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Severity Score

2.8

Related Resources (4)

Url: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases

Url: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases#timeout-based-race-conditions-make-uint8arraybufferalloc-non-zerofilled-cve-2025-55131---high

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-55132

Url: https://www.mend.io/vulnerability-database/CVE-2025-55132

Severity Score

2.8

Weakness Type (CWE)

Incorrect Default Permissions

CWE-276

Top Fix

Upgrade Version

Upgrade to version https://github.com/nodejs/node.git - v20.20.0;https://github.com/nodejs/node.git - v22.22.0;https://github.com/nodejs/node.git - v24.13.0;https://github.com/nodejs/node.git - v25.3.0

Learn More

CVSS v3.1

Base Score:	2.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-55132

Good to know:

Date: January 20, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?