A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
References
| Link | Resource |
|---|---|
| https://github.com/WebAssembly/wabt/issues/2679 | Exploit Issue Tracking Vendor Advisory |
| https://github.com/oneafter/1208/blob/main/af1 | Exploit |
| https://vuldb.com/?ctiid.339332 | Permissions Required VDB Entry |
| https://vuldb.com/?id.339332 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.719825 | Third Party Advisory VDB Entry |
Configurations
History
06 Jan 2026, 15:52
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Webassembly
Webassembly wabt |
|
| CPE | cpe:2.3:a:webassembly:wabt:*:*:*:*:*:*:*:* | |
| References | () https://github.com/WebAssembly/wabt/issues/2679 - Exploit, Issue Tracking, Vendor Advisory | |
| References | () https://github.com/oneafter/1208/blob/main/af1 - Exploit | |
| References | () https://vuldb.com/?ctiid.339332 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.339332 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.719825 - Third Party Advisory, VDB Entry |
01 Jan 2026, 20:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-01 20:15
Updated : 2026-01-06 15:52
NVD link : CVE-2025-15411
Mitre link : CVE-2025-15411
CVE.ORG link : CVE-2025-15411
JSON object : View
Products Affected
webassembly
- wabt
CWE
CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer