Vulnerability in Bytecodealliance Wasmtime
CVE-2025-53901
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The spec…
EPSS: 0.004 (59.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 3.5 (Low). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L.
Affected products
- Bytecodealliance Wasmtime — versions < 24.0.4, >= 33.0.0, < 33.0.2, >= 34.0.0, < 34.0.2
Weakness classification (CWE)
Public proof-of-concept exploits
References
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-fm79-3f68-h2fc (x_refsource_CONFIRM)
- https://docs.wasmtime.dev/security-what-is-considered-a-security-vulnerability.html (x_refsource_MISC)
- https://docs.wasmtime.dev/stability-release.html (x_refsource_MISC)
- https://github.com/WebAssembly/WASI/blob/e1aa1cae4dda4c1f70f23fe11e922aae92f240a8/legacy/preview1/witx/wasi_snapshot_preview1.witx#L245-L260 (x_refsource_MISC)
- https://github.com/bytecodealliance/wasmtime/blob/037a6edadbc225decbea00a551aabf04203717d9/crates/wasi/src/preview1.rs#L1824-L1836 (x_refsource_MISC)
Frequently asked questions
- What is CVE-2025-53901?
- CVE-2025-53901 is a low-severity vulnerability in Bytecodealliance Wasmtime, classified under Operation on a Resource after Expiration or Release. CVSS score: 3.5/10. Published 2025-07-18.
- How severe is CVE-2025-53901?
- Low severity. CVSS v3 base score is 3.5 out of 10.
- Is CVE-2025-53901 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.