CVE-2025-55132
📋 TL;DR
A vulnerability in Node.js's permission model allows attackers to modify file timestamps using the futimes() function even when they only have read permissions. This can be used to obscure malicious activity by altering timestamps in read-only directories, reducing forensic reliability. It affects Node.js v20, v22, v24, and v25 users who have enabled the experimental permission model.
💻 Affected Systems
- Node.js
📦 What is this software?
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
Node.js by Nodejs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically alter timestamps across critical systems to hide evidence of data exfiltration, malware installation, or unauthorized access, complicating incident response and forensic investigations.
Likely Case
Limited timestamp manipulation in specific directories to obscure individual file access or modification events, potentially bypassing some security monitoring that relies on timestamp integrity.
If Mitigated
Minimal impact if proper logging and monitoring are in place, as timestamp changes would be logged as anomalies rather than causing direct data loss or system compromise.
🎯 Exploit Status
Exploitation requires existing access to execute Node.js code with the permission model enabled. The vulnerability is in the API implementation rather than requiring complex chaining.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v20.18.1, v22.12.1, v24.11.1, v25.8.1
Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2025-security-releases
Restart Required: Yes
Instructions:
1. Check current Node.js version with 'node --version'. 2. If running affected version, update using your package manager (npm, apt, yum, etc.) or download from nodejs.org. 3. Restart all Node.js applications and services.
🔧 Temporary Workarounds
Disable Permission Model
allTemporarily disable the experimental permission model if not required for functionality
Remove --experimental-permission flag from Node.js startup commands
🧯 If You Can't Patch
- Implement strict file integrity monitoring to detect timestamp changes
- Restrict Node.js execution to trusted users and applications only
🔍 How to Verify
Check if Vulnerable:
Check if Node.js version is v20.x (<20.18.1), v22.x (<22.12.1), v24.x (<24.11.1), or v25.x (<25.8.1) AND the --experimental-permission flag is enabledCheck Version:
node --versionVerify Fix Applied:
Verify Node.js version is v20.18.1+, v22.12.1+, v24.11.1+, or v25.8.1+ using 'node --version'📡 Detection & Monitoring
Log Indicators:
- Unexpected timestamp modifications in read-only directories
- futimes() calls in permission-restricted contexts
Network Indicators:
- None - this is a local file system vulnerability
SIEM Query:
Process execution logs showing Node.js with --experimental-permission flag AND file modification events in read-only paths