DescriptionThe implementation of realpath in libuv < 10.22.1, < 12.18.4, and < 14.9.0 used within Node.js incorrectly determined the buffer size which can result in a buffer overflow if the resolved path is longer than 256 bytes.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libuv1 (PTS)buster1.24.1-1+deb10u1vulnerable
buster (security)1.24.1-1+deb10u2vulnerable
bullseye (security)1.40.0-2+deb11u1fixed
bookworm (security)1.44.2-1+deb12u1fixed
sid, trixie1.48.0-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libuv1sourcestretch(not affected)


[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
Debian's version of nodejs uses the shared system library of libuv1 instead
of the bundled one.
Introduced by: (v1.24.0)
Fixed by: (v1.39.0)
Broken path in uv__fs_realpath() only taken when libuv1 build in
pre-POSIX.2008 mode (defined(_POSIX_VERSION) && _POSIX_VERSION < 200809L).

Search for package or bug name: Reporting problems