CVE-2025-55132 Overview
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
Critical Impact
This vulnerability enables timestamp manipulation on files without proper write permissions, potentially allowing attackers to obscure forensic evidence and reduce the reliability of audit logs in environments using Node.js's permission model.
Affected Products
- Node.js v20
- Node.js v22
- Node.js v24
- Node.js v25
Discovery Timeline
- 2026-01-20 - CVE CVE-2025-55132 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2025-55132
Vulnerability Analysis
This vulnerability is classified as CWE-276 (Incorrect Default Permissions) and represents a permission model bypass in Node.js. The issue stems from an inconsistency in how the Node.js permission model handles file timestamp modification operations.
When Node.js's permission model is enabled, the utimes() function correctly verifies that a process has write permissions before allowing modification of a file's access and modification timestamps. However, the futimes() function—which performs the same operation using a file descriptor rather than a file path—does not enforce the same permission checks.
This discrepancy allows a process with only read access to a file to successfully modify its timestamps through the futimes() syscall. While this does not allow modification of file contents, it can be leveraged to manipulate forensic artifacts and obscure malicious activity.
Root Cause
The root cause is an inconsistent permission validation implementation between the utimes() and futimes() functions within Node.js's permission model. While utimes() properly validates write permissions before allowing timestamp modifications, futimes() bypasses these checks when operating on file descriptors, creating a security gap that violates the principle of least privilege.
Attack Vector
The attack requires local access to the system and involves exploiting the permission model bypass through the following mechanism:
A malicious actor with read-only access to sensitive files or directories protected by Node.js's permission model can leverage the futimes() function to modify file timestamps. By opening a file for reading (which is permitted) and then calling futimes() on the resulting file descriptor, the attacker can alter the access and modification timestamps without having write permissions.
This technique can be used to backdate files to hide recent modifications, manipulate log file timestamps to obscure the timeline of an attack, or interfere with file integrity monitoring systems that rely on timestamp analysis.
Detection Methods for CVE-2025-55132
Indicators of Compromise
- Unexpected changes to file timestamps, particularly on files in read-only directories or files that should not have been modified
- Discrepancies between file modification timestamps and actual file content changes
- Evidence of futimes() syscalls in audit logs from processes that should only have read access
Detection Strategies
- Enable system-level auditing for futimes() syscalls and correlate with process permission models
- Implement file integrity monitoring that tracks both content hashes and metadata changes independently
- Monitor Node.js application logs for unusual file descriptor operations on protected files
Monitoring Recommendations
- Configure auditd or similar tools to log all timestamp modification operations (utimes, futimes, utime syscalls)
- Establish baseline timestamp patterns for critical files and alert on anomalous modifications
- Review Node.js permission model configurations to identify files that may be at risk
How to Mitigate CVE-2025-55132
Immediate Actions Required
- Update Node.js to the latest patched version for your release line (v20, v22, v24, or v25)
- Review applications using Node.js's permission model to identify potentially affected file operations
- Implement additional file integrity monitoring on sensitive files as a defense-in-depth measure
Patch Information
Node.js has released security updates addressing this vulnerability. Organizations should update to the patched versions as documented in the Node.js December 2025 Security Releases.
For environments where immediate patching is not possible, consider the workarounds below while planning the upgrade.
Workarounds
- Avoid relying solely on Node.js's permission model for protecting sensitive file timestamps; implement OS-level access controls as an additional layer
- Use immutable file attributes where supported by the filesystem to prevent timestamp modifications
- Implement independent timestamp verification through cryptographic attestation rather than relying on filesystem metadata
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
