Inconsistent Off_t Size in Libuv and Node.js for 32-bit Debian Systems
CVE-2025-47153

6.5MEDIUM

Key Information:

Vendor: Debian
Status: Trixie
Vendor: CVE Published:; 1 May 2025

What is CVE-2025-47153?

Certain build processes for libuv and Node.js on 32-bit systems, particularly for the Node.js binary package on Debian GNU/Linux, exhibit an inconsistent definition of off_t size. Specifically, when built on i386 Debian, the libuv dynamic library utilizes _FILE_OFFSET_BITS=64, while Node.js relies on a system-wide default of 32. This disparity can lead to potential out-of-bounds access, raising security concerns. It is crucial to note that this issue does not arise from the Node.js software itself, as prebuilt versions for 32-bit Linux are not provided on the Node.js download page.

Affected Version(s)

trixie i386 nodejs_0.10.0~dfsg1-1_i386.deb

References

https://bugzilla.redhat.com/show_bug.cgi?id=892601

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922075

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076350

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2025
Vulnerability Reserved
May 1, 2025