ALPINE-CVE-2025-55132

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2025-55132

Import Source

https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-55132.json

JSON Data

https://api.osv.dev/v1/vulns/ALPINE-CVE-2025-55132

Upstream

CVE-2025-55132

Published

2026-01-20T21:16:03.430Z

Modified

2026-01-23T17:16:17.832380Z

Severity

2.8 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

References

https://security.alpinelinux.org/vuln/CVE-2025-55132

Affected packages

Alpine:v3.22 / nodejs

Package

Name: nodejs
Purl: pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.22.0-r0

Affected versions

22.*

22.11.0-r0

22.11.0-r1

22.11.0-r2

22.13.1-r0

22.13.1-r1

22.13.1-r2

22.13.1-r3

22.13.1-r4

22.13.1-r5

22.16.0-r0

22.16.0-r1

22.16.0-r2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2025-55132.json"

Alpine:v3.23 / nodejs