1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109548: rust-wasmtime: CVE-2025-53901

    From Salvatore Bonaccorso@21:1/5 to All on Sat Jul 19 22:20:01 2025
    Source: rust-wasmtime
    Version: 26.0.1+dfsg-3
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

    Hi,

    The following vulnerability was published for rust-wasmtime.

    CVE-2025-53901[0]:
    | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4,
    | 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1
    | set of import functions can lead to a WebAssembly guest inducing a
    | panic in the host (embedder). The specific bug is triggered by
    | calling `path_open` after calling `fd_renumber` with either two
    | equal argument values or a second argument being equal to a
    | previously-closed file descriptor number value. The corrupt state
    | introduced in `fd_renumber` will lead to the subsequent opening of a
    | file descriptor to panic. This panic cannot introduce memory
    | unsafety or allow WebAssembly to break outside of its sandbox,
    | however. There is no possible heap corruption or memory unsafety
    | from this panic. This bug is in the implementation of Wasmtime's
    | `wasmtime-wasi` crate which provides an implementation of WASIp1.
    | The bug requires a specially crafted call to `fd_renumber` in
    | addition to the ability to open a subsequent file descriptor.
    | Opening a second file descriptor is only possible when a preopened
    | directory was provided to the guest, and this is common amongst
    | embeddings. A panic in the host is considered a denial-of-service
    | vector for WebAssembly embedders and is thus a security issue in
    | Wasmtime. This bug does not affect WASIp2 and embedders using
    | components. In accordance with Wasmtime's release process, patch
    | releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other
    | release of Wasmtime are recommended to move to a supported release
    | of Wasmtime. Embedders who are using components or are not providing
    | guest access to create more file descriptors (e.g. via a preopened
    | filesystem directory) are not affected by this issue. Otherwise,
    | there is no workaround at this time, and affected embeddings are
    | recommended to update to a patched version which will not cause a
    | panic in the host.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-53901
    https://www.cve.org/CVERecord?id=CVE-2025-53901
    [1] https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)