Bug 2431338 (CVE-2025-55132)

Summary: CVE-2025-55132 nodejs: Nodejs filesystem permissions bypass
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caswilli, kaycoth
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A file access flaw has been discovered in NodeJS. A file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2431450, 2431451, 2431452, 2431453, 2431454, 2431455, 2431456    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-20 21:01:37 UTC 
A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20,  v22,  v24, and v25.
Comment 2 errata-xmlrpc 2026-02-05 15:58:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1843 https://access.redhat.com/errata/RHSA-2026:1843
Comment 3 errata-xmlrpc 2026-02-05 15:58:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1842 https://access.redhat.com/errata/RHSA-2026:1842
Comment 4 errata-xmlrpc 2026-02-10 12:44:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2420 https://access.redhat.com/errata/RHSA-2026:2420
Comment 5 errata-xmlrpc 2026-02-10 12:44:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2422 https://access.redhat.com/errata/RHSA-2026:2422
Comment 6 errata-xmlrpc 2026-02-10 12:45:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:2421 https://access.redhat.com/errata/RHSA-2026:2421
Comment 7 errata-xmlrpc 2026-02-17 09:25:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2781 https://access.redhat.com/errata/RHSA-2026:2781
Comment 8 errata-xmlrpc 2026-02-17 09:25:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2783 https://access.redhat.com/errata/RHSA-2026:2783
Comment 9 errata-xmlrpc 2026-02-17 09:25:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:2782 https://access.redhat.com/errata/RHSA-2026:2782