CVE-2025-53901 (GCVE-0-2025-53901)
Vulnerability from cvelistv5
Published
2025-07-18 17:10
Modified
2025-07-18 17:31
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
CWE
  • CWE-672 - Operation on a Resource after Expiration or Release
Summary
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
References
Impacted products
Vendor Product Version
bytecodealliance wasmtime Version: < 24.0.4
Version: >= 33.0.0, < 33.0.2
Version: >= 34.0.0, < 34.0.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53901",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-18T17:31:36.542423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-18T17:31:45.514Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "wasmtime",
          "vendor": "bytecodealliance",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 24.0.4"
            },
            {
              "status": "affected",
              "version": "\u003e= 33.0.0, \u003c 33.0.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 34.0.0, \u003c 34.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime\u0027s implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime\u0027s `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime\u0027s release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-672",
              "description": "CWE-672: Operation on a Resource after Expiration or Release",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-18T17:10:11.815Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc"
        },
        {
          "name": "https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html"
        },
        {
          "name": "https://docs.wasmtime.dev/stability-release.html",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://docs.wasmtime.dev/stability-release.html"
        },
        {
          "name": "https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260"
        },
        {
          "name": "https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836"
        }
      ],
      "source": {
        "advisory": "GHSA-fm79-3f68-h2fc",
        "discovery": "UNKNOWN"
      },
      "title": "Wasmtime has host panic with `fd_renumber` WASIp1 function"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-53901",
    "datePublished": "2025-07-18T17:10:11.815Z",
    "dateReserved": "2025-07-11T19:05:23.826Z",
    "dateUpdated": "2025-07-18T17:31:45.514Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-53901\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-07-18T18:15:24.713\",\"lastModified\":\"2025-07-22T13:06:27.983\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime\u0027s implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime\u0027s `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime\u0027s release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.\"},{\"lang\":\"es\",\"value\":\"Wasmtime es un entorno de ejecuci\u00f3n para WebAssembly. En versiones anteriores a la 24.0.4, 33.0.2 y 34.0.2, un error en la implementaci\u00f3n de Wasmtime del conjunto de funciones de importaci\u00f3n WASIp1 pod\u00eda provocar que un invitado de WebAssembly indujera un p\u00e1nico en el host (incrustador). El error espec\u00edfico se activa al llamar a `path_open` despu\u00e9s de llamar a `fd_renumber` con dos valores de argumento iguales o con un segundo argumento igual a un valor num\u00e9rico de descriptor de archivo previamente cerrado. El estado corrupto introducido en `fd_renumber` provocar\u00e1 que la apertura posterior de un descriptor de archivo genere un p\u00e1nico. Sin embargo, este p\u00e1nico no puede generar inseguridad en la memoria ni permitir que WebAssembly se salga de su entorno de pruebas. No existe posibilidad de corrupci\u00f3n del mont\u00f3n ni inseguridad en la memoria a causa de este p\u00e1nico. Este error se encuentra en la implementaci\u00f3n del crate `wasmtime-wasi` de Wasmtime, que proporciona una implementaci\u00f3n de WASIp1. El error requiere una llamada especialmente manipulada a `fd_renumber`, adem\u00e1s de la capacidad de abrir un descriptor de archivo posterior. Abrir un segundo descriptor de archivo solo es posible cuando se proporcion\u00f3 un directorio preabierto al invitado, y esto es com\u00fan entre las incrustaciones. Un p\u00e1nico en el host se considera un vector de denegaci\u00f3n de servicio para los incrustadores de WebAssembly y, por lo tanto, es un problema de seguridad en Wasmtime. Este error no afecta a WASIp2 ni a los incrustadores que utilizan componentes. De acuerdo con el proceso de lanzamiento de Wasmtime, las versiones de parche est\u00e1n disponibles como 24.0.4, 33.0.2 y 34.0.2. Se recomienda a los usuarios de otras versiones de Wasmtime que migren a una versi\u00f3n compatible de Wasmtime. Los incrustadores que utilizan componentes o no proporcionan acceso de invitado para crear m\u00e1s descriptores de archivo (por ejemplo, mediante un directorio del sistema de archivos preabierto) no se ven afectados por este problema. De lo contrario, no hay ninguna soluci\u00f3n alternativa en este momento y se recomienda que las incrustaciones afectadas se actualicen a una versi\u00f3n parcheada que no provoque p\u00e1nico en el host.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-672\"}]}],\"references\":[{\"url\":\"https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://docs.wasmtime.dev/stability-release.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-53901\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-18T17:31:36.542423Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-18T17:31:40.250Z\"}}], \"cna\": {\"title\": \"Wasmtime has host panic with `fd_renumber` WASIp1 function\", \"source\": {\"advisory\": \"GHSA-fm79-3f68-h2fc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"bytecodealliance\", \"product\": \"wasmtime\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 24.0.4\"}, {\"status\": \"affected\", \"version\": \"\u003e= 33.0.0, \u003c 33.0.2\"}, {\"status\": \"affected\", \"version\": \"\u003e= 34.0.0, \u003c 34.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc\", \"name\": \"https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html\", \"name\": \"https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://docs.wasmtime.dev/stability-release.html\", \"name\": \"https://docs.wasmtime.dev/stability-release.html\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260\", \"name\": \"https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836\", \"name\": \"https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime\u0027s implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime\u0027s `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime\u0027s release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-672\", \"description\": \"CWE-672: Operation on a Resource after Expiration or Release\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-07-18T17:10:11.815Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-53901\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-18T17:31:45.514Z\", \"dateReserved\": \"2025-07-11T19:05:23.826Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-07-18T17:10:11.815Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.