| Package | nodejs |
|---|---|
| Version | 10.24.0~dfsg-1~deb10u6 (buster) |
| Related CVEs | CVE-2025-47153 |
Node.js a popular server side javascript engine was affected by a vulnerability on 32bits architecture.
Build processes for libuv and Node.js for 32-bit systems, have an inconsistent off_t size (e.g., building on i386 Debian always uses _FILE_OFFSET_BITS=64 for the libuv dynamic library, but uses the _FILE_OFFSET_BITS global system default of 32 for nodejs), leading to out-of-bounds access.
Following reverse dependencies were also rebuilt in order to fix the vulnerability:
- node-expat
- node-iconv
- node-leveldown
- node-mapnik
- node-modern-syslog
- node-nodedbi
- node-opencv
- node-sqlite3
- node-srs
- node-stringprep
- node-websocket
- node-ws
- node-zipfile
- r-cran-v8
For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u6.
We recommend that you upgrade your nodejs packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.