+- Dark C0d3rs (https://darkcoders.wiki)
+-- Forum: Exploit Log (https://darkcoders.wiki/Forum-Exploit-Log)
+--- Forum: Research Papers/Vulnerability reports (https://darkcoders.wiki/Forum-Research-Papers-Vulnerability-reports)
+--- Thread: HackerOne Disclosed Reports - 2026-01-15 (/Thread-HackerOne-Disclosed-Reports-2026-01-15)
HackerOne disclosed reports - 2026-01-15 - hashXploiter - 01-16-2026
Low
resolved
resolved
fs.futimes() Bypasses Read-Only Permission Model
Bug reported by Yunmo Yang was disclosed at January 15, 2026, 10:26 am | Improper Access Control - Generic
A flaw in Node.js's permission model was discovered that allowed a file's access and modification timestamps to be changed via `futimes()` even when the process had only read permissions. Unlike `utimes()`, `futimes()` did not apply the expected write-permission checks, which meant file metadata could be modified in read-only directories. This vulnerability affected users of the permission model on Node.js v20, v22, v24, and v25.