CVE-2025-47153

Publication date 1 May 2025

Last updated 7 May 2025

Ubuntu priority

Certain build processes for libuv and Node.js for 32-bit systems, such as for the nodejs binary package through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access. NOTE: this is not a problem in the Node.js software itself. In particular, the Node.js website's download page does not offer prebuilt Node.js for Linux on i386.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
nodejs	25.04 plucky	Needs evaluation
	24.10 oracular	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation
	20.04 LTS focal	Needs evaluation
	18.04 LTS bionic	Needs evaluation
	16.04 LTS xenial	Needs evaluation
	14.04 LTS trusty	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-47153
https://bugzilla.redhat.com/show_bug.cgi?id=892601
https://github.com/nodejs/node-v0.x-archive/issues/4549
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076350
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=922075