CVE-2025-55132

CVE-2025-55132 is a medium-severity vulnerability in Nodejs Node.js with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-276.

Key facts

Description

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

Frequently asked questions

What is CVE-2025-55132?
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.
How severe is CVE-2025-55132?
CVE-2025-55132 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2025-55132 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (13th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-55132?
CVE-2025-55132 affects Nodejs Node.js. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-55132?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-55132 have an EU (EUVD) identifier?
Yes. CVE-2025-55132 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-3325.
When was CVE-2025-55132 published?
CVE-2025-55132 was published on 2026-01-20 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Nodejs Node.js

All CVEs affecting Nodejs Node.js →

Other CWE-276 (Incorrect Default Permissions) vulnerabilities

Browse all CWE-276 (Incorrect Default Permissions) vulnerabilities →