Primary

Context

Node.js fs.futimes() Bypasses Read-Only Permission Model

Vulnerability

Patched

A vulnerability in Node.js's permission model allows the modification of file access and modification timestamps using the futimes() function, even in directories with read-only permissions. This issue arises because futimes() lacks the necessary write-permission checks, unlike utimes(). As a result, file metadata can be altered in read-only environments, potentially obscuring activity and undermining log reliability. This vulnerability impacts Node.js versions 20.x, 22.x, 24.x, and 25.x.

Impact

Exploiting this vulnerability can lead to unauthorized modifications of file metadata in read-only directories, allowing for the manipulation of timestamps. Such changes could obscure activity and reduce the reliability of logs.

Remediation

Users can upgrade to Node.js versions 20.20.0, 22.22.0, 24.13.0, or 25.4.0 to address this vulnerability.

Added: Jan 20, 2026, 9:30 PM

Updated: Jan 20, 2026, 9:30 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

7.7

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

0.6

exploitability

3.3

remediation

7.7

relevance

2.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Node.js fs.futimes() Bypasses Read-Only Permission Model

Vulnerability

Impact

Remediation

Affected Products

Node.js

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating