CVE-2025-55132

low

Red Hat

CVSS v3 Base Score

2.8

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

EPSS Score

0.0%

Exploitation probability in 30 days

Top 99% most likely to be exploited

Attack Characteristics

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Confidentiality

Low

Integrity

None

Availability

None

Published: January 20, 2026 (114 days ago)

Last Modified: January 20, 2026

Vendor: Red Hat

Fix Available: ✓ Yes

Description

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

CWE

CWE-281

Affected Products

Red Hat Enterprise Linux 10Red Hat Enterprise Linux 8Red Hat Enterprise Linux 9

Fix Status

✅ Fix Available

References

🔗 bugzilla.redhat.com 🔗 www.cve.org 🔗 nvd.nist.gov 🔗 nodejs.org

CVE-2025-55132

Vulnerability Report

Description

CWE

Affected Products

Fix Status

References