CVE-2025-54126
BaseFortify
Publication date: 2025-07-29
Last updated on: 2025-09-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bytecodealliance | webassembly_micro_runtime | to 2.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-668 | The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the WebAssembly Micro Runtime's (WAMR) iwasm package versions 2.4.0 and below. The iwasm executable uses the --addr-pool option with an IPv4 address that lacks a subnet mask, which causes the system to accept all IP addresses. This behavior can unintentionally expose the service to all incoming connections, bypassing intended IP-based access restrictions. As a result, services relying on --addr-pool for restricting access may become open to all external connections, potentially allowing unauthorized access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access in production deployments because the system may accept connections from any IP address instead of restricting access as intended. This exposure can compromise the security of services relying on IP-based access controls, potentially allowing attackers or unauthorized users to connect to and exploit the service.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the WebAssembly Micro Runtime (WAMR) iwasm package to version 2.4.1 or later, where the issue with --addr-pool using an IPv4 address without a subnet mask is fixed. This prevents the service from unintentionally accepting all incoming connections and enforces intended access restrictions.