CVE-2025-15412
BaseFortify
Publication date: 2026-01-01
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webassembly | wabt | to 1.0.39 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-15412 is a memory corruption vulnerability in the WebAssembly Binary Toolkit (WABT) up to version 1.0.39, specifically in the wasm-decompile tool's function wabt::Decompiler::VarName. It occurs when the tool processes malformed WebAssembly binaries and attempts to resolve variable names, leading to an out-of-bounds read or wild pointer dereference. This causes a segmentation fault (crash) due to accessing invalid memory addresses. The vulnerability requires local access to exploit and has a publicly available proof-of-concept. The project currently lacks an active maintainer and no official patches exist. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service through a crash of the wasm-decompile tool when processing malformed WebAssembly binaries. The out-of-bounds read can compromise system stability and potentially affect confidentiality, integrity, and availability of the affected system. Since the exploit is easy to perform locally and a proof-of-concept is publicly available, attackers with local access could disrupt operations or cause memory corruption. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the crash using a specially crafted malformed WebAssembly binary with the vulnerable wasm-decompile tool. On a Linux x86_64 system, build the wasm-decompile tool with AddressSanitizer enabled using the command: `make clang-release-asan CMAKE_FLAGS="-DCMAKE_BUILD_TYPE=Release -DUSE_ASAN=ON -DCMAKE_CXX_FLAGS_RELEASE=-DNDEBUG"`. Then run the command `./wasm-decompile ./repro` where `repro` is the malformed binary triggering the out-of-bounds read and segmentation fault. Monitoring for segmentation faults or crashes during decompilation indicates the presence of the vulnerability. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps are limited as no official patches or countermeasures are available due to the lack of an active maintainer. It is recommended to avoid using the vulnerable versions of wabt (up to 1.0.39) and consider replacing the wasm-decompile component with an alternative product. Restrict local access to systems running the vulnerable tool to prevent exploitation. Monitoring for updates or community patches is advised. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of CVE-2025-15412 on compliance with common standards and regulations such as GDPR or HIPAA.