{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-20T20:41:55Z",
  "bugzilla" : {
    "description" : "nodejs: Nodejs filesystem permissions bypass",
    "id" : "2431338",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2431338"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-281",
  "details" : [ "A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.", "A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:1842",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs24-1:24.13.0-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-02-05T00:00:00Z",
    "advisory" : "RHSA-2026:1843",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "nodejs22-1:22.22.0-3.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2420",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:24-8100020260116121421.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2421",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:22-8100020260119091831.6d880403"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-02-10T00:00:00Z",
    "advisory" : "RHSA-2026:2422",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:20-8100020260119100525.489197e6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2781",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:24-9070020260117213814.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2782",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:22-9070020260117213838.rhel9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-02-17T00:00:00Z",
    "advisory" : "RHSA-2026:2783",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs:20-9070020260117213748.rhel9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-01T00:00:00Z",
    "advisory" : "RHSA-2026:6402",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs24-main-24.14.1-4.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6431",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7378",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs25-main-25.9.0-1.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7386",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs20-main-20.20.0-7.1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-10T00:00:00Z",
    "advisory" : "RHSA-2026:7387",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs22-main-22.22.0-1.3.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-11T00:00:00Z",
    "advisory" : "RHSA-2026:7657",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "nodejs24-main-24.14.1-4.1.hum1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-55132\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55132\nhttps://nodejs.org/en/blog/vulnerability/december-2025-security-releases" ],
  "name" : "CVE-2025-55132",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}