Inconsistent Off_t Size in Libuv and Node.js for 32-bit Debian Systems
CVE-2025-47153

6.5MEDIUM

Key Information:

Vendor

Debian
Status
Trixie
Vendor
CVE Published:
1 May 2025

What is CVE-2025-47153?

Certain build processes for libuv and Node.js on 32-bit systems, particularly for the Node.js binary package on Debian GNU/Linux, exhibit an inconsistent definition of off_t size. Specifically, when built on i386 Debian, the libuv dynamic library utilizes _FILE_OFFSET_BITS=64, while Node.js relies on a system-wide default of 32. This disparity can lead to potential out-of-bounds access, raising security concerns. It is crucial to note that this issue does not arise from the Node.js software itself, as prebuilt versions for 32-bit Linux are not provided on the Node.js download page.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

trixie i386 nodejs_0.10.0~dfsg1-1_i386.deb

References

https://bugzilla.redhat.com/show_bug.cgi?id=892601
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922075
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076350

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.