CVE-2025-55132
Description
A flaw in Node.jss permission model allows a files access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
Risk Information
Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
0.009
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are fixed in Node.js (20) (20.20.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js (20) (x64) (20.20.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 22 (MSI) (x64) (22.22.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 24 (MSI) (x64) (24.13.0) | Windows |
| Multiple vulnerabilities are fixed in Node.js 25 (MSI) (x64) (25.3.0) | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-354985 | Node.js (20) (20.20.0) |
| PATCH-354986 | Node.js (20) (x64) (20.20.0) |
| PATCH-354987 | Node.js 22 (MSI) (x64) (22.22.0) |
| PATCH-354988 | Node.js 24 (MSI) (x64) (24.13.0) |
| PATCH-355344 | Node.js 25 (MSI) (x64) (25.5.0) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234