CVE-2025-47153: 
Node.js vulnerability analysis and mitigation

CVE-2025-47153 affects Node.js on 32-bit systems due to an inconsistent off_t size configuration between libuv and Node.js builds. The vulnerability was discovered in May 2025 and affects nodejs binary packages through nodejs_20.19.0+dfsg-2_i386.deb for Debian GNU/Linux. This issue stems from build processes where libuv uses _FILE_OFFSET_BITS=64 while Node.js uses the system default of 32, leading to potential out-of-bounds access. Notably, this is not a problem in the Node.js software itself, as the Node.js website does not offer prebuilt Node.js for Linux on i386 (NVD, Debian LTS).

The vulnerability arises from inconsistent FILEOFFSETBITS settings between libuv and Node.js builds on 32-bit systems. On i386 Debian systems, libuv is built with FILEOFFSETBITS=64 while Node.js uses the system default of 32, resulting in mismatched struct sizes. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (NVD).

The inconsistent off_t size between libuv and Node.js builds can result in out-of-bounds access, potentially leading to memory corruption and application crashes. This affects various Node.js applications and packages that rely on file system operations on 32-bit systems (Wiz).

Debian has released security updates to address this vulnerability in version nodejs_20.19.0+dfsg1-1. Several dependent packages were also rebuilt to fix the vulnerability, including node-expat, node-iconv, node-leveldown, and others. Users are recommended to upgrade their nodejs packages to the latest version (Debian LTS).

The vulnerability has sparked discussions about the challenges of maintaining 32-bit support in modern software. Alan Coopersmith from Oracle noted that this issue highlights potential similar problems that might arise with TIMEBITS mismatches as 32-bit builders prepare for the year 2038 (Openwall).