CVE-2025-15411

A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/WebAssembly/wabt/
https://github.com/WebAssembly/wabt/issues/2679	Exploit Issue Tracking Vendor Advisory
https://github.com/oneafter/1208/blob/main/af1	Exploit
https://vuldb.com/?ctiid.339332	Permissions Required VDB Entry
https://vuldb.com/?id.339332	Third Party Advisory VDB Entry
https://vuldb.com/?submit.719825	Third Party Advisory VDB Entry
https://vuldb.com/?submit.736404

Configurations

Configuration 1 (hide)

cpe:2.3:a:webassembly:wabt:*:*:*:*:*:*:*:*

History

23 Feb 2026, 09:16

Type	Values Removed	Values Added
References		() https://github.com/WebAssembly/wabt/ - () https://vuldb.com/?submit.736404 -

06 Jan 2026, 15:52

Type	Values Removed	Values Added
References	~~() https://github.com/WebAssembly/wabt/issues/2679 -~~	() https://github.com/WebAssembly/wabt/issues/2679 - Exploit, Issue Tracking, Vendor Advisory
References	~~() https://github.com/oneafter/1208/blob/main/af1 -~~	() https://github.com/oneafter/1208/blob/main/af1 - Exploit
References	~~() https://vuldb.com/?ctiid.339332 -~~	() https://vuldb.com/?ctiid.339332 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.339332 -~~	() https://vuldb.com/?id.339332 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.719825 -~~	() https://vuldb.com/?submit.719825 - Third Party Advisory, VDB Entry
First Time		Webassembly Webassembly wabt
CPE		cpe:2.3:a:webassembly:wabt::::::::

01 Jan 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-01 20:15

Updated : 2026-02-23 09:16

NVD link : CVE-2025-15411

Mitre link : CVE-2025-15411

CVE.ORG link : CVE-2025-15411

JSON object : View

Products Affected

webassembly

wabt

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

5.3 /10