Vulnerability-Lookup

rustsec-2025-0112

Vulnerability from osv_rustsec

Published

2025-07-18 12:00

Modified

2025-10-25 11:20

Summary

Possible host crash with host-to-wasm component intrinsics

Details

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc For more information see the GitHub-hosted security advisory.

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime",
        "purl": "pkg:cargo/wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "38.0.0"
            },
            {
              "fixed": "38.0.3"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2025-62711",
    "GHSA-4h67-722j-5pmc"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "This is an entry in the RustSec database for the Wasmtime security advisory\nlocated at\nhttps://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc\nFor more information see the GitHub-hosted security advisory.",
  "id": "RUSTSEC-2025-0112",
  "modified": "2025-10-25T11:20:30Z",
  "published": "2025-07-18T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/wasmtime"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0112.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc"
    }
  ],
  "related": [],
  "severity": [],
  "summary": "Possible host crash with host-to-wasm component intrinsics"
}

CVE-2025-62711 (GCVE-0-2025-62711)

Vulnerability from cvelistv5 – Published: 2025-10-24 21:54 – Updated: 2025-10-27 15:22

Title

Wasmtime vulnerable to segfault when using component resources

Summary

Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.

Severity ?

2.1 (Low)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE

CWE-755 - Improper Handling of Exceptional Conditions

Assigner

GitHub_M

References

URL

Tags

	https://github.com/bytecodealliance/wasmtime/secu…	x_refsource_CONFIRM
	https://github.com/bytecodealliance/wasmtime/pull/11592	x_refsource_MISC
	https://github.com/bytecodealliance/wasmtime/comm…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	bytecodealliance	wasmtime	Affected: >= 38.0.0, < 38.0.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62711",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-27T15:22:12.743021Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-27T15:22:22.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 38.0.0, \u003c 38.0.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it\u0027s possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 2.1,
            "baseSeverity": "LOW",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-24T21:54:52.578Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/pull/11592",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/pull/11592"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5"
        }
      ],
      "source": {
        "advisory": "GHSA-4h67-722j-5pmc",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime vulnerable to segfault when using component resources"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62711",
    "datePublished": "2025-10-24T21:54:52.578Z",
    "dateReserved": "2025-10-20T19:41:22.740Z",
    "dateUpdated": "2025-10-27T15:22:22.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-4H67-722J-5PMC

Vulnerability from github – Published: 2025-10-27 20:18 – Updated: 2025-10-27 20:18

Summary

Wasmtime vulnerable to segfault when using component resources

Details

Impact

The implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. This bug was introduced in the release of Wasmtime 38.0.0 and affects it subsequent patch releases of 38.0.1 and 38.0.2. No other versions of Wasmtime are affected.

In Wasmtime 38 the implementation of host-to-wasm trampolines was refactored to remove the old usage of setjmp and longjmp to unwind the stack. In this transition, however, trampolines for component-model intrinsics were accidentally not updated meaning that they didn't update runtime data structures as the other host-to-wasm trampolines did. If an error ocurred during execution of wasm it would then try to read this runtime data which isn't present, and processing it could then result in a crash. For example one piece of runtime data is where to jump to in the case of a trap, and this is intended to be updated by trampolines during their execution. In this situation the trampoline didn't do anything meaning that the value was left set to 0 meaning that execution would jump to the 0 address and deterministically crash the program with a segfault.

Component intrinsic host-to-wasm trampolines are not typically used in most situations. These only exist for carefully crafted components no toolchain would conventionally produce. For example if the resource.rep intrinsic were directly lifted without having any other wasm in play then it would use the component intrinsic host-to-wasm trampoline. This effectively means that any component required to trigger this bug would have to be carefully crafted for this specific issue. Furthermore triggering this bug would require that these intrinsics are called from the host which requires specific type signatures to be used. Not all embeddings may be invoking functions with exactly the right type signatures, meaning that even if a component could be crafted a pre-built embedding may still not be able to run the component.

Overall the goal of Wasmtime's API is that, without unsafe in Rust, it should not be possible to crash the runtime. With Wasmtime 38.0.{0,1,2} it is possible to crash the runtime, however, hence this security issue. Actually exploiting this in practice would require (a) carefully crafted components, (b) a very specific host embedder using the right type signatures, and (c) a host that updated to 38.0.{0,1,2} within the last few days (38.0.0 was released on 2025-10-20, and this is being published on 2025-10-24). This likely means that almost no embedding is affected, but this security issue is nonetheless being posted for awareness.

Patches

Wasmtime 38.0.3 has been released and is patched to fix this issue.

Workarounds

Affected embeddings have no workaround other than updating to 38.0.3. Users of 37.0.x and prior are not affected. Embeddings that only work with core wasm are not affected. Embeddings may only be affected if functions of specific component type signatures are used/invoked, meaning that if all the prior conditions hold the embedding would need to be audited to see if it's affected.

References

The PR which refactored setjmp/longjmp usage and introduced this issue is https://github.com/bytecodealliance/wasmtime/pull/11592.

Severity ?

2.1 (Low)


                  
                    CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "wasmtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "38.0.0"
            },
            {
              "fixed": "38.0.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62711"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-755"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-27T20:18:01Z",
    "nvd_published_at": "2025-10-24T22:15:49Z",
    "severity": "LOW"
  },
  "details": "### Impact\n\nThe implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it\u0027s possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. This bug was introduced in the release of Wasmtime 38.0.0 and affects it subsequent patch releases of 38.0.1 and 38.0.2. No other versions of Wasmtime are affected.\n\nIn Wasmtime 38 the implementation of host-to-wasm trampolines was refactored to remove the old usage of `setjmp` and `longjmp` to unwind the stack. In this transition, however, trampolines for component-model intrinsics were accidentally not updated meaning that they didn\u0027t update runtime data structures as the other host-to-wasm trampolines did. If an error ocurred during execution of wasm it would then try to read this runtime data which isn\u0027t present, and processing it could then result in a crash. For example one piece of runtime data is where to jump to in the case of a trap, and this is intended to be updated by trampolines during their execution. In this situation the trampoline didn\u0027t do anything meaning that the value was left set to 0 meaning that execution would jump to the 0 address and deterministically crash the program with a segfault.\n\nComponent intrinsic host-to-wasm trampolines are not typically used in most situations. These only exist for carefully crafted components no toolchain would conventionally produce. For example if the `resource.rep` intrinsic were directly lifted without having any other wasm in play then it would use the component intrinsic host-to-wasm trampoline. This effectively means that any component required to trigger this bug would have to be carefully crafted for this specific issue. Furthermore triggering this bug would require that these intrinsics are called from the host which requires specific type signatures to be used. Not all embeddings may be invoking functions with exactly the right type signatures, meaning that even if a component could be crafted a pre-built embedding may still not be able to run the component.\n\nOverall the goal of Wasmtime\u0027s API is that, without `unsafe` in Rust, it should not be possible to crash the runtime. With Wasmtime 38.0.{0,1,2} it is possible to crash the runtime, however, hence this security issue. Actually exploiting this in practice would require (a) carefully crafted components, (b) a very specific host embedder using the right type signatures, and (c) a host that updated to 38.0.{0,1,2} within the last few days (38.0.0 was released on 2025-10-20, and this is being published on 2025-10-24). This likely means that almost no embedding is affected, but this security issue is nonetheless being posted for awareness.\n\n### Patches\n\nWasmtime 38.0.3 has been released and is patched to fix this issue.\n\n### Workarounds\n\nAffected embeddings have no workaround other than updating to 38.0.3. Users of 37.0.x and prior are not affected. Embeddings that only work with core wasm are not affected. Embeddings may only be affected if functions of specific component type signatures are used/invoked, meaning that if all the prior conditions hold the embedding would need to be audited to see if it\u0027s affected.\n\n### References\n\nThe PR which refactored setjmp/longjmp usage and introduced this issue is https://github.com/bytecodealliance/wasmtime/pull/11592.",
  "id": "GHSA-4h67-722j-5pmc",
  "modified": "2025-10-27T20:18:01Z",
  "published": "2025-10-27T20:18:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62711"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/pull/11592"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytecodealliance/wasmtime"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0112.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Wasmtime vulnerable to segfault when using component resources"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

rustsec-2025-0112

Vulnerability from osv_rustsec

CVE-2025-62711 (GCVE-0-2025-62711)

GHSA-4H67-722J-5PMC

Impact

Patches

Workarounds

References

Tags

Sightings

Nomenclature