CVE-2025-62711

LOW EPSS 32.4%
Published Oct 24, 20258mo ago · Modified Jun 17, 20261w ago
2.1 CVSS 4.0
Low
Find Similar
Published Oct 24, 2025 8mo ago
Last Modified Jun 17, 2026 1w ago

Description

Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.

CVSS Details

Base Score
2.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
32.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-755

Affected Products 1

VendorProductVersionRange
bytecodealliancewasmtime*≥38.0.0  –  <38.0.3

References 3

  • github.com https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5
    Patch
  • github.com https://github.com/bytecodealliance/wasmtime/pull/11592
    Patch
  • github.com https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5
    Patch
  • github.com https://github.com/bytecodealliance/wasmtime/pull/11592
    Patch
  • github.com https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc
    PatchThird Party Advisory