cbcvebase.
CVE-2024-51745
published 2024-11-05

CVE-2024-51745: Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such…

PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.81%
52.4th percentile
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.

Affected

12 ranges
VendorProductVersion rangeFixed in
bytecodealliancewasmtime< 24.0.224.0.2
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime
bytecodealliancewasmtime>= 0 < 24.0.224.0.2
bytecodealliancewasmtime>= 0.0.0-0 < 24.0.224.0.2
bytecodealliancewasmtime>= 25.0.0 < 25.0.325.0.3
bytecodealliancewasmtime>= 26.0.0 < 26.0.126.0.1
debianrust-wasmtime< rust-wasmtime 26.0.1+dfsg-1 (forky)rust-wasmtime 26.0.1+dfsg-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

filenameCOM¹
filenameCOM²
filenameLPT⁰
filenameLPT¹
  • On Windows hosts running Wasmtime, monitor filesystem access attempts using device filenames with Unicode superscript digits (e.g., COM¹, COM², LPT⁰, LPT¹) originating from Wasm sandbox processes — these bypass the sandbox blocklist that only covers ASCII-digit variants (COM1, COM2, LPT0, LPT1).
  • Audit serial/parallel port and emulated USB serial port access (modems, printers, network printers) on Windows systems running Wasmtime, as exploitation of this CVE can result in access to those peripheral or network-mapped devices.
  • ·This vulnerability is Windows-specific; Linux/macOS Wasmtime deployments are not affected.
  • ·The sandbox bypass only applies when untrusted Wasm programs are granted access to any filesystem directory; Wasm programs with no filesystem access are not affected.
  • ·Patched versions are 24.0.2, 25.0.3, and 26.0.1; Wasmtime 23.0.x and prior are vulnerable with no known workarounds.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.3LOW
vendor_debian2.3LOW
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.