CVE-2025-15411
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-01

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-01
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-01
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15411
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webassembly wabt to 1.0.39 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15411 is a heap-buffer-overflow and use-after-free vulnerability in the WebAssembly Binary Toolkit (wabt) up to version 1.0.39, specifically in the function wabt::AST::InsertNode within the wasm-decompile tool. The issue occurs when a std::vector reallocates and frees its old memory buffer, but InsertNode continues to use a stale pointer referencing the freed memory, causing memory corruption. This leads to invalid memory reads and potential crashes when processing crafted WebAssembly binaries. [2, 3, 4]

Impact Analysis

This vulnerability can lead to memory corruption, including heap-buffer-overflow and use-after-free conditions, which may cause Denial of Service (DoS) by crashing the application. It also poses risks to confidentiality, integrity, and availability of the affected system. Exploitation requires local access, and a public proof-of-concept exploit is available, making it easier for attackers to leverage this flaw. [2, 3, 4]

Detection Guidance

This vulnerability can be detected by reproducing the issue using AddressSanitizer (ASan) in a Release build with NDEBUG defined. The vulnerability manifests as a heap-buffer-overflow and use-after-free in the wasm-decompile tool of wabt. A reproduction command is: `./wasm-decompile ./repro` where `./repro` is a crafted WebAssembly binary triggering the issue. The build command to enable ASan is: `make clang-release-asan CMAKE_FLAGS="-DCMAKE_BUILD_TYPE=Release -DUSE_ASAN=ON -DCMAKE_CXX_FLAGS_RELEASE=-DNDEBUG"`. Monitoring crash stack traces involving `wabt::AST::InsertNode` and ASan reports of invalid reads from freed memory can help detect the vulnerability. [3, 4]

Mitigation Strategies

Immediate mitigation steps include avoiding use of the vulnerable wabt versions up to 1.0.39, especially the wasm-decompile tool. Since no official patches or maintainers are currently available, consider replacing the affected component with an alternative product. Restrict local access to systems running the vulnerable software to prevent exploitation. Monitoring for exploit attempts and applying strict access controls can reduce risk until a fix or replacement is implemented. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15411. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart