CVE-2025-43853 — UNIX Symbolic Link (Symlink) Following in Wasm-micro-runtime

CWE-61 — UNIX Symbolic Link (Symlink) Following CWE-416 — Use After Free2 documents2 sources

Severity

7.0HIGHNVD

EPSS

0.1%

top 69.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasm-micro-runtime Bytecodealliance Webassembly Micro Runtime Msrc Azl3 Kernel 6.6.43.1-7 ON Azure Linux 3.0 +7 more

Timeline

Latest updateAug 13

PublishedMay 15

Description

The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of …

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages10 packages

▶NVDbytecodealliance/webassembly_micro_runtime< 2.2.0

▶CVEListV5bytecodealliance/wasm-micro-runtime< 2.3.0

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

Patches

Patch: github.com ↗

📋Vendor Advisories

Microsoft

cgroup/cpuset: Prevent UAF in proc_cpuset_show()↗2024-08-13

▶