CVE-2025-54126 — Resource Exposure in Wasm-micro-runtime

CWE-668 — Resource Exposure2 documents2 sources

Severity

6.9MEDIUMNVD

EPSS

0.1%

top 76.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bytecodealliance Wasm-micro-runtime Bytecodealliance Webassembly Micro Runtime Msrc Azl3 Fluent-bit 3.1.9-4 ON Azure Linux 3.0 +3 more

Timeline

Latest updateJul 8

PublishedJul 29

Description

The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, allowing the system to accept all IP addresses. This can unintentionally expose the service to all incoming connections and bypass intended access restrictions. Services relying on --addr-pool for restricting access by IP…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Affected Packages6 packages

▶NVDbytecodealliance/webassembly_micro_runtime2.4.0

▶CVEListV5bytecodealliance/wasm-micro-runtime< 2.4.1

▶msrcmsrc/azl3_fluent-bit_3.1.9-4_on_azure_linux_3.0

▶msrcmsrc/azl3_fluent-bit_3.1.9-5_on_azure_linux_3.0

▶msrcmsrc/cbl2_fluent-bit_3.0.6-2_on_cbl_mariner_2.0

Patches

Patch: github.com ↗

📋Vendor Advisories

Microsoft

WebAssembly Micro Runtime's `--addr-pool` option allows all IPv4 addresses when subnet mask is not specified↗2025-07-08

▶