01-16-2026, 12:30 PM
Low
resolved
resolved
fs.futimes() Bypasses Read-Only Permission Model
Bug reported by Yunmo Yang was disclosed at January 15, 2026, 10:26 am | Improper Access Control - Generic
A flaw in Node.js's permission model was discovered that allowed a file's access and modification timestamps to be changed via `futimes()` even when the process had only read permissions. Unlike `utimes()`, `futimes()` did not apply the expected write-permission checks, which meant file metadata could be modified in read-only directories. This vulnerability affected users of the permission model on Node.js v20, v22, v24, and v25.