Platform
nodejs
Component
nodejs
Opgelost in
20.19.1
CVE-2025-47153 describes an out-of-bounds access vulnerability affecting specific build processes for Node.js on 32-bit systems. This issue stems from an inconsistent handling of off_t sizes during the libuv and Node.js build process, potentially leading to memory corruption. The vulnerability primarily impacts Debian GNU/Linux distributions using i386 architecture and Node.js versions between 20.0.0 and 20.19.0, inclusive. A fix is available in version 20.19.1.
The out-of-bounds access vulnerability allows attackers to potentially trigger a denial-of-service (DoS) condition or, in more complex scenarios, achieve arbitrary code execution. While the vulnerability isn't inherent to the Node.js software itself, a malicious actor could exploit it during the build or deployment process, particularly if they control the build environment or can inject malicious code into the build pipeline. The impact is amplified in environments where Node.js applications are built and deployed automatically, as this could allow attackers to compromise the entire system. This vulnerability is similar to other memory corruption issues that have been exploited to gain control of systems.
This CVE is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low to medium, given the specific build environment requirements and the fact that the vulnerability is not present in the core Node.js software. No public proof-of-concept exploits have been publicly released as of the publication date. The vulnerability was disclosed on 2025-05-01.
Organizations using Debian GNU/Linux with i386 architecture and relying on pre-built Node.js packages are particularly at risk. Developers who build Node.js from source on i386 systems are also potentially affected. Shared hosting environments that automatically build and deploy Node.js applications could be vulnerable if they use affected versions.
• linux / server:
journalctl -u nodejs | grep -i 'off_t size'• linux / server:
ps aux | grep nodejs | grep -i 'i386'• generic web: Inspect build server logs for errors related to off_t size or file access during Node.js builds on i386 systems.
disclosure
Exploit Status
EPSS
0.69% (72% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-47153 is to upgrade Node.js to version 20.19.1 or later. If upgrading is not immediately feasible due to compatibility constraints or breaking changes, consider temporarily isolating affected systems and limiting network access. While a direct WAF rule is unlikely to be effective, monitoring build processes for unusual activity and ensuring the integrity of build dependencies can help detect potential exploitation attempts. Review build scripts and configurations for any suspicious modifications. After upgrading, confirm the fix by attempting to build Node.js on an i386 Debian system and verifying that the off_t size is handled consistently.
Este problema se debe a un proceso de compilación incorrecto en sistemas de 32 bits. Si estás usando una versión afectada de Node.js en Debian GNU/Linux i386, considera actualizar a una versión corregida o utilizar una arquitectura de 64 bits. Verifica que tu proceso de compilación sea consistente con el tamaño esperado de `off_t`.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-47153 is a medium severity vulnerability affecting Node.js versions 20.0.0–20.19.0. It involves an inconsistent off_t size in 32-bit builds, leading to potential out-of-bounds access.
You are affected if you are using Node.js versions 20.0.0 through 20.19.0 on a 32-bit (i386) Debian GNU/Linux system and using pre-built packages.
Upgrade Node.js to version 20.19.1 or later to resolve the vulnerability. If upgrading is not possible, isolate affected systems and monitor build processes.
As of the publication date, there are no reports of active exploitation of CVE-2025-47153, but it is important to apply the fix proactively.
Refer to the Node.js security advisories and the Debian security tracker for official information and updates regarding CVE-2025-47153.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.