Incorrect Default Permissions Affecting nodejs package, versions [22.20.0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.15% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Default Permissions vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-CONAN-NODEJS-17675093
  • published29 Jun 2026
  • disclosed26 Jun 2026
  • creditmuhammaddaffa

Introduced: 26 Jun 2026

NewCVE-2026-48935  (opens in a new tab)
CWE-276  (opens in a new tab)

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

Affected versions of this package are vulnerable to Incorrect Default Permissions in the futimes() function of lib/internal/fs/promises.js, which backs FileHandle.utimes() and performs no file system permission check. An attacker who can execute code in a process running under the Permission Model without write access can alter a file's access and modification timestamps, including on paths granted only read access through --allow-fs-read, by calling utimes() on a FileHandle. Exploitation requires the process to be started with the Permission Model enabled, and the impact is limited to changing file timestamps rather than file contents.

CVSS Base Scores

version 4.0
version 3.1