Bytecodealliance Wasm-Micro-Runtime vulnerabilities

5 known vulnerabilities affecting bytecodealliance/wasm-micro-runtime.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM2LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-64713HIGHCVSS 7.4fixed in 2.4.42025-11-25
CVE-2025-64713 [HIGH] CWE-119 CVE-2025-64713: WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to ve WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is e
nvd
CVE-2025-64704MEDIUMCVSS 5.5fixed in 2.4.42025-11-25
CVE-2025-64704 [MEDIUM] CWE-754 CVE-2025-64704: WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to ve WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has been patched in version 2.4.4.
nvd
CVE-2025-58749LOWCVSS 2.1fixed in 2.4.22025-09-16
CVE-2025-58749 [LOW] CWE-190 CVE-2025-58749: WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. In WAMR ver WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. In WAMR versions prior to 2.4.2, when running in LLVM-JIT mode, the runtime cannot exit normally when executing WebAssembly programs containing a memory.fill instruction where the first operand (memory address pointer) is greater than or equal to 2147483648 bytes (
nvd
CVE-2025-54126MEDIUMCVSS 6.9fixed in 2.4.12025-07-29
CVE-2025-54126 [MEDIUM] CWE-668 CVE-2025-54126: The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, allowing the system to accept all IP addresses. This can unintentionally
nvd
CVE-2025-43853HIGHCVSS 7.0fixed in 2.3.02025-05-15
CVE-2025-43853 [HIGH] CWE-61 CVE-2025-43853: The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows,
nvd