Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-55132

Опубликовано: 20 янв. 2026
Источник: nvd
CVSS3: 2.8
CVSS3: 5.3
EPSS Низкий

Описание

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 20.0.0 (включая) до 20.20.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 22.0.0 (включая) до 22.22.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 24.0.0 (включая) до 24.13.0 (исключая)
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Версия от 25.0.0 (включая) до 25.3.0 (исключая)

EPSS

Процентиль: 1%
0.00009
Низкий

2.8 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-276

Связанные уязвимости

ubuntu логотип

CVE-2025-55132

CVSS3: 5.3
ubuntu
2 месяца назад

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

redhat логотип

CVE-2025-55132

CVSS3: 2.8
redhat
2 месяца назад

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

debian логотип

CVE-2025-55132

CVSS3: 5.3
debian
2 месяца назад

A flaw in Node.js's permission model allows a file's access and modifi ...

github логотип

GHSA-pm9v-wcw9-xgpv

CVSS3: 2.8
github
2 месяца назад

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

fstec логотип

BDU:2026-00544

CVSS3: 3.3
fstec
2 месяца назад

Уязвимость функции futimes() программной платформы Node.js, позволяющая нарушителю получить доступ на изменение файлов

EPSS

Процентиль: 1%
0.00009
Низкий

2.8 Low

CVSS3

5.3 Medium

CVSS3

Дефекты

CWE-276