Platform
nodejs
Component
nodejs
Fixed in
20.19.1
CVE-2025-47153 describes an out-of-bounds access vulnerability affecting specific build processes for Node.js on 32-bit systems. This issue stems from an inconsistent handling of off_t sizes during the libuv and Node.js build process, potentially leading to memory corruption. The vulnerability primarily impacts Debian GNU/Linux distributions using i386 architecture and Node.js versions between 20.0.0 and 20.19.0, inclusive. A fix is available in version 20.19.1.
The out-of-bounds access vulnerability allows attackers to potentially trigger a denial-of-service (DoS) condition or, in more complex scenarios, achieve arbitrary code execution. While the vulnerability isn't inherent to the Node.js software itself, a malicious actor could exploit it during the build or deployment process, particularly if they control the build environment or can inject malicious code into the build pipeline. The impact is amplified in environments where Node.js applications are built and deployed automatically, as this could allow attackers to compromise the entire system. This vulnerability is similar to other memory corruption issues that have been exploited to gain control of systems.
This CVE is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the specific build environment requirements and the fact that the vulnerability is not present in the core Node.js software. No public proof-of-concept exploits have been publicly released as of the publication date. The vulnerability was disclosed on 2025-05-01.
Exploit Status
EPSS
0.69% (72% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-47153 is to upgrade Node.js to version 20.19.1 or later. If upgrading is not immediately feasible due to compatibility constraints or breaking changes, consider temporarily isolating affected systems and limiting network access. While a direct WAF rule is unlikely to be effective, monitoring build processes for unusual activity and ensuring the integrity of build dependencies can help detect potential exploitation attempts. Review build scripts and configurations for any suspicious modifications. After upgrading, confirm the fix by attempting to build Node.js on an i386 Debian system and verifying that the off_t size is handled consistently.
This issue is due to an incorrect build process on 32-bit systems. If you are using an affected version of Node.js on Debian GNU/Linux i386, consider updating to a patched version or using a 64-bit architecture. Verify that your build process is consistent with the expected size of `off_t`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-47153 is a medium severity vulnerability affecting Node.js versions 20.0.0–20.19.0. It involves an inconsistent off_t size in 32-bit builds, leading to potential out-of-bounds access.
You are affected if you are using Node.js versions 20.0.0 through 20.19.0 on a 32-bit (i386) Debian GNU/Linux system and using pre-built packages.
Upgrade Node.js to version 20.19.1 or later to resolve the vulnerability. If upgrading is not possible, isolate affected systems and monitor build processes.
As of the publication date, there are no reports of active exploitation of CVE-2025-47153, but it is important to apply the fix proactively.
Refer to the Node.js security advisories and the Debian security tracker for official information and updates regarding CVE-2025-47153.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.