Low
resolved
resolved
fs.futimes() Bypasses Read-Only Permission Model
Bug reported by Yunmo Yang was disclosed at January 15, 2026, 10:26 am | Improper Access Control - Generic
A flaw in Node.js's permission model was discovered that allowed a file's access and modification timestamps to be changed via `futimes()` even when the process had only read permissions. Unlike `utimes()`, `futimes()` did not apply the expected write-permission checks, which meant file metadata could be modified in read-only directories. This vulnerability affected users of the permission model on Node.js v20, v22, v24, and v25.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
