CVE-2025-47153
published 2025-05-01CVE-2025-47153: Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian…
medium6.5CVSS 3.1
AVNACHPRNUINSCCLILAL
Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nodejs | < nodejs 18.20.4+dfsg-1~deb12u1 (bookworm) | nodejs 18.20.4+dfsg-1~deb12u1 (bookworm) |
| debian | trixie | nodejs_0.10.0~dfsg1-1_i386.deb – nodejs_20.19.0+dfsg-2_i386.deb | — |
| nodejs | nodejs | >= 0 < 12.22.12~dfsg-1~deb11u7 | 12.22.12~dfsg-1~deb11u7 |
| nodejs | nodejs | >= 0 < 18.20.4+dfsg-1~deb12u1 | 18.20.4+dfsg-1~deb12u1 |
| nodejs | nodejs | >= 0 < 20.19.0+dfsg1-1 | 20.19.0+dfsg1-1 |
| nodejs | nodejs | >= 0 < 20.19.0+dfsg1-1 | 20.19.0+dfsg1-1 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
osv6.5MEDIUM