AZL-74982

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74982.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-74982

Upstream

CVE-2025-55132

Published

2026-01-20T21:16:03Z

Modified

2026-04-01T05:22:47.820520Z

Summary

CVE-2025-55132 affecting package nodejs for versions less than 20.14.0-13

Details

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes() even when the process has only read permissions. Unlike utimes(), futimes() does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-55132

Affected packages

Azure Linux:3 / nodejs

Package

Name: nodejs
Purl: pkg:rpm/azure-linux/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

20.14.0-13

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-74982.json"