98 matches found
Wasmtime WASI implementations are vulnerable to guest-controlled resource exhaustion
Impact Wasmtime's implementation of WASI host interfaces are susceptible to guest-controlled resource exhaustion on the host. Wasmtime did not appropriately place limits on resource allocations requested by the guests. This serves as a Denial of Service vector where a guest can induce a range of...
auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-27204 via wasmtime (>=0.10.0 <=1.0.2)
wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-27204 Source advisory: OSV:GHSA-852M-CVVP-9P4W...
Panic adding excessive fields to a `wasi:http/types.fields` instance
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h For more information see the GitHub-hosted security advisory...
auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2026-27204 via wasmtime (>=0.10.0 <=1.0.2)
wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2026-27204 Source advisory: OSV:RUSTSEC-2026-0020...
RUSTSEC-2026-0021 Panic adding excessive fields to a `wasi:http/types.fields` instance
This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-243v-98vx-264h For more information see the GitHub-hosted security advisory...
MCP-SandboxScan: WASM-Based Secure Execution and Runtime Analysis for MCP Tools
Tool-augmented LLM agents raise new security risks: tool executions can introduce runtime-only behaviors, including prompt injection and unintended exposure of external inputs e.g., environment secrets or local files. While existing scanners often focus on static artifacts, analyzing runtime...
PT-2026-21806
Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.6 Wasmtime versions prior to 36.0.6 Wasmtime version 4.0.04 Wasmtime versions prior to 41.0.4 Wasmtime versions prior to 42.0.0 Description Wasmtime's implementation of the wasi:http/types.fields resource is...
EUVD-2024-1924
Malicious code in bioql PyPI...
Exploring and Exploiting the Resource Isolation Attack Surface of WebAssembly Containers
Recently, the WebAssembly or Wasm technology has been rapidly evolving, with many runtimes actively under development, providing cross-platform secure sandboxes for Wasm modules to run as portable containers. Compared with Docker, which isolates applications at the operating system level, Wasm...
Linux Distros Unpatched Vulnerability : CVE-2025-53901
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions ca...
SUSE CVE-2025-53901
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder. The specific bug is triggered by calling pathopen after calling...
auto-wasi (=0.1.0), deterministic-wasi-ctx (>=0.1.1 <=0.1.14) +53 more potentially affected by CVE-2025-53901 via wasmtime-wasi (>=0.10.0 <=1.0.2)
wasmtime-wasi CARGO version =0.10.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.5.0, =0.0.1-alpha, =0.1.0, =0.1.0, =0.1.0, =0.9.0, =0.9.0, =0.9.0, =0.7.0, =0.9.2 and more Source cves: CVE-2025-53901 Source advisory: OSV:GHSA-FM79-3F68-H2FC...
UBUNTU-CVE-2025-53901
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host embedder. The specific bug is triggered by calling pathopen after calling...
candid-extractor (>=0.1.0 <=0.1.2), debug-engine (>=0.1.0 <=0.1.1) +69 more potentially affected by unknown CVE via wasmtime-jit-debug (>=0.35.0 <=1.0.2)
wasmtime-jit-debug CARGO version =0.35.0, =0.1.0, =0.1.0, =0.1.3, =0.4.0, =0.4.0, =0.5.0, =0.0.1-alpha, =0.0.6, =0.11.0, =0.9.0, =0.9.0, =0.9.0, =0.10.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-9GHP-W2HM-VFPF...
Malicious code in wasm-wasi-core (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 320ad464f0780881fe134c1e9990c2e1a180a2ab4b6b103e26439d8861709021 Any computer that has this package installed or running should be considered...
MAL-2025-5067 Malicious code in wasm-wasi-core (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 320ad464f0780881fe134c1e9990c2e1a180a2ab4b6b103e26439d8861709021 Any computer that has this package installed or running should be considered...
assemblylift-cli (>=0.4.0-alpha.5 <=0.4.0-alpha.11), assemblylift-core (>=0.4.0-alpha.10 <=0.4.0-alpha.11) +93 more potentially affected by CVE-2024-51756 via cap-primitives (>=0.10.0 <=3.0.0)
cap-primitives CARGO version =0.10.0, =0.4.0-alpha.5, =0.4.0-alpha.10, =0.1.0, =0.3.0, =0.1.0, =0.7.0, =1.0.11, =0.1.0, =0.1.1, =0.1.0, =0.3.0, =0.5.2, =0.1.1, =0.1.0, =0.1.0, =0.2.3 and more Source cves: CVE-2024-51756 Source advisory: OSV:RUSTSEC-2024-0445...
auto-wasi (=0.1.0), candid-extractor (>=0.1.0 <=0.1.2) +105 more potentially affected by CVE-2024-51745 via wasmtime (>=0.10.0 <=1.0.2)
wasmtime CARGO version =0.10.0, =0.1.0, =0.1.0, =0.1.0, =0.1.1, =0.5.3-0, =0.4.0, =0.4.0, =0.0.0, =0.5.0, =0.0.1-alpha, =0.40.1, =0.45.0, =0.1.0, =0.3.0 and more Source cves: CVE-2024-51745 Source advisory: OSV:RUSTSEC-2024-0438...
b4ae (>=2.0.0 <=2.1.3), clatter (>=0.1.2-alpha <=2.0.0-rc.1) +26 more potentially affected by unknown CVE via pqcrypto-kyber (>=0.1.2 <=0.8.1)
pqcrypto-kyber CARGO version =0.1.2, =2.0.0, =0.1.2-alpha, =0.1.4, =0.1.1, =0.1.0, =0.0.1, =0.1.0, =0.1.0, =0.1.0, =0.5.0 - qux-pqc =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2024-0381...
MAL-2025-1004 Malicious code in wasi8787878 (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 e7e8dad2dca9000e3bd94355a78838c2c9448aac766722cfd54aba1fc5c2cd43 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...