CVE-2024-51745
published 2024-11-05CVE-2024-51745: Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such…
PriorityP264critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.81%
52.4th percentile
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. Patch releases for Wasmtime have been issued as 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue. Affected Windows users are recommended to upgrade.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bytecodealliance | wasmtime | < 24.0.2 | 24.0.2 |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | — | — |
| bytecodealliance | wasmtime | >= 0 < 24.0.2 | 24.0.2 |
| bytecodealliance | wasmtime | >= 0.0.0-0 < 24.0.2 | 24.0.2 |
| bytecodealliance | wasmtime | >= 25.0.0 < 25.0.3 | 25.0.3 |
| bytecodealliance | wasmtime | >= 26.0.0 < 26.0.1 | 26.0.1 |
| debian | rust-wasmtime | < rust-wasmtime 26.0.1+dfsg-1 (forky) | rust-wasmtime 26.0.1+dfsg-1 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
- →On Windows hosts running Wasmtime, monitor filesystem access attempts using device filenames with Unicode superscript digits (e.g., COM¹, COM², LPT⁰, LPT¹) originating from Wasm sandbox processes — these bypass the sandbox blocklist that only covers ASCII-digit variants (COM1, COM2, LPT0, LPT1). ↗
- →Audit serial/parallel port and emulated USB serial port access (modems, printers, network printers) on Windows systems running Wasmtime, as exploitation of this CVE can result in access to those peripheral or network-mapped devices. ↗
- ·This vulnerability is Windows-specific; Linux/macOS Wasmtime deployments are not affected. ↗
- ·The sandbox bypass only applies when untrusted Wasm programs are granted access to any filesystem directory; Wasm programs with no filesystem access are not affected. ↗
- ·Patched versions are 24.0.2, 25.0.3, and 26.0.1; Wasmtime 23.0.x and prior are vulnerable with no known workarounds. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv2.3LOW
vendor_debian2.3LOW
vendor_redhat2.3LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2024-51745: Wasmtime is a fast and secure runtime for WebAssembly
osv·2024-11-05·CVSS 2.3
CVE-2024-51745 [LOW] CVE-2024-51745: Wasmtime is a fast and secure runtime for WebAssembly
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial port
GHSA
Wasmtime doesn't fully sandbox all the Windows device filenames
ghsa·2024-11-05
CVE-2024-51745 [LOW] CWE-184 Wasmtime doesn't fully sandbox all the Windows device filenames
Wasmtime doesn't fully sandbox all the Windows device filenames
### Impact
Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including em
OSV
Wasmtime doesn't fully sandbox all the Windows device filenames
osv·2024-11-05
CVE-2024-51745 [LOW] Wasmtime doesn't fully sandbox all the Windows device filenames
Wasmtime doesn't fully sandbox all the Windows device filenames
### Impact
Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including em
OSV
Wasmtime doesn't fully sandbox all the Windows device filenames
osv·2024-11-02
CVE-2024-51745 Wasmtime doesn't fully sandbox all the Windows device filenames
Wasmtime doesn't fully sandbox all the Windows device filenames
This is an entry in the RustSec database for the Wasmtime security advisory
located at
https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-c2f5-jxjv-2hh8.
For more information see the GitHub-hosted security advisory.
Red Hat
wasmtime: Wasmtime doesn't fully sandbox all the Windows device filenames
vendor_redhat·2024-11-05·CVSS 2.3
CVE-2024-51745 [LOW] CWE-184 wasmtime: Wasmtime doesn't fully sandbox all the Windows device filenames
wasmtime: Wasmtime doesn't fully sandbox all the Windows device filenames
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device
Debian
CVE-2024-51745: rust-wasmtime - Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem san...
vendor_debian·2024·CVSS 2.3
CVE-2024-51745 [LOW] CVE-2024-51745: rust-wasmtime - Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem san...
Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial port
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-05
Published