CVE-2025-47153 is a medium-severity vulnerability affecting the Debian trixie distribution's Node.js package for 32-bit i386 systems. The root cause lies in inconsistent handling of the off_t data type size during the build process of libuv and Node.js binaries. Specifically, when building on i386 Debian, the libuv dynamic library is compiled with _FILE_OFFSET_BITS=64, enabling 64-bit file offsets, while the Node.js binary itself is compiled with the system default _FILE_OFFSET_BITS=32, resulting in a mismatch. This inconsistency leads to out-of-bounds memory access during runtime because libuv and Node.js expect different sizes for file offset variables. Notably, this issue is limited to the Debian package build process and does not affect the Node.js software itself or prebuilt Node.js binaries from the official Node.js website, which does not provide Linux i386 builds. The vulnerability is classified under CWE-1102, which concerns reliance on machine-dependent data representation, causing portability and memory safety issues. The CVSS v3.1 base score is 6.5 (medium), with vector AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L, indicating network attack vector, high attack complexity, no privileges or user interaction required, and a scope change with low confidentiality, integrity, and availability impacts. There are no known exploits in the wild, and no patches have been linked yet. The vulnerability primarily affects the nodejs_0.10.0~dfsg1-1_i386.deb package in Debian trixie, which is a less common architecture and distribution combination in modern environments but may still be in use in legacy or specialized systems.

For European organizations, the impact of this vulnerability is primarily on systems running Debian trixie on 32-bit i386 architectures with the affected Node.js package installed. The out-of-bounds access can lead to memory corruption, potentially causing application crashes or undefined behavior, which affects availability and integrity of services relying on Node.js. Confidentiality impact is low but possible if memory corruption can be leveraged for information disclosure. Since the vulnerability does not require authentication or user interaction and can be triggered remotely (network vector), it poses a risk to exposed services using the affected package. However, the high attack complexity and limited scope to a niche architecture reduce the overall risk. European organizations using legacy embedded systems, industrial control systems, or specialized applications on 32-bit Debian trixie may be more vulnerable. The vulnerability could disrupt critical services or cause denial of service, impacting business continuity. Given the scope change, exploitation could affect other components linked to Node.js and libuv, potentially cascading failures in dependent applications.

1. Avoid using the affected nodejs_0.10.0~dfsg1-1_i386.deb package on Debian trixie for 32-bit systems; prefer official Node.js binaries or upgrade to 64-bit architectures where possible. 2. Rebuild Node.js and libuv from source ensuring consistent _FILE_OFFSET_BITS settings (both set to 64) to prevent size mismatches. 3. Implement runtime memory protection mechanisms such as AddressSanitizer during development and testing to detect out-of-bounds accesses. 4. Restrict network exposure of services running on affected Node.js versions to trusted internal networks only. 5. Monitor Debian security advisories for patches or updated packages addressing this issue and apply them promptly. 6. Conduct thorough testing of Node.js-based applications on 32-bit Debian trixie systems to identify instability or crashes related to this vulnerability. 7. Where feasible, migrate applications to supported, modern architectures and distributions to eliminate reliance on legacy 32-bit builds. 8. Employ intrusion detection systems tuned to detect anomalous behavior or crashes in Node.js services that could indicate exploitation attempts.