CVE-2025-66627

Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible.

CVSS v3 8.4 HIGH

8.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wasmi-labs:wasmi::::::rust::*
	cpe:2.3:a:wasmi-labs:wasmi::::::rust::*
	cpe:2.3:a:wasmi-labs:wasmi::::::rust::*
	cpe:2.3:a:wasmi-labs:wasmi:1.0.0:::::rust::

History

10 Dec 2025, 21:16

Type	Values Removed	Values Added
CPE		cpe:2.3:a:wasmi-labs:wasmi::::::rust::* cpe:2.3:a:wasmi-labs:wasmi:1.0.0:::::rust::
References	~~() https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq -~~	() https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq - Patch, Vendor Advisory
First Time		Wasmi-labs Wasmi-labs wasmi

09 Dec 2025, 16:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-12-09 16:18

Updated : 2025-12-10 21:16

NVD link : CVE-2025-66627

Mitre link : CVE-2025-66627

CVE.ORG link : CVE-2025-66627

JSON object : View

Products Affected

wasmi-labs

wasmi

CWE

CWE-416

Use After Free

{"id": "CVE-2025-66627", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-12-09T16:18:21.910", "references": [{"url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible."}], "lastModified": "2025-12-10T21:16:04.107", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "DEC38241-42E1-416E-B258-4789ABCE4FAE", "versionEndExcluding": "0.41.2", "versionStartIncluding": "0.41.0"}, {"criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "1FF46E2B-0D1F-4875-8829-15A4B0F18337", "versionEndExcluding": "0.47.1", "versionStartIncluding": "0.47.0"}, {"criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "3DD06F35-DCE6-436A-82E6-8ABFB27F882A", "versionEndExcluding": "0.51.3", "versionStartIncluding": "0.51.0"}, {"criteria": "cpe:2.3:a:wasmi-labs:wasmi:1.0.0:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "0C5B18F1-7C31-4A15-8A6B-FA4C4F2E8E6B"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}