CVE-2025-53901
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-18

Last updated on: 2025-09-04

Assigner: GitHub, Inc.

Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-18
Last Modified
2025-09-04
Generated
2026-05-07
AI Q&A
2025-07-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53901
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
bytecodealliance wasmtime to 24.0.4 (exc)
bytecodealliance wasmtime From 33.0.0 (inc) to 33.0.2 (exc)
bytecodealliance wasmtime From 34.0.0 (inc) to 34.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-672 The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-53901 is a vulnerability in Wasmtime's WASIp1 implementation where a WebAssembly guest can cause the host (embedder) to panic by making a specially crafted call to the `fd_renumber` function with either two identical arguments or a second argument equal to a previously closed file descriptor. This corrupts internal state and causes a subsequent call to `path_open` to panic the host. Although this panic causes a denial-of-service by crashing the host, it does not lead to memory unsafety, heap corruption, or allow the guest to escape its sandbox. The vulnerability requires the guest to have access to open a second file descriptor, which is common when a preopened directory is provided. It affects versions prior to 24.0.4, 33.0.2, and 34.0.2, and does not affect WASIp2 or embedders using components. [1]


How can this vulnerability impact me? :

This vulnerability can cause a denial-of-service (DoS) condition by crashing the host running Wasmtime when exploited. This means that an attacker controlling a WebAssembly guest could cause the host application embedding Wasmtime to panic and stop functioning properly. However, it does not compromise memory safety, data confidentiality, or integrity, nor does it allow the guest to escape the sandbox. The impact is limited to availability disruption. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Wasmtime to one of the patched versions: 24.0.4, 33.0.2, or 34.0.2. There is no effective workaround other than updating. Embedders who do not provide guest access to create additional file descriptors or who use components are not affected. Otherwise, updating to a patched version is the recommended mitigation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart