SecuriTricks - CVE-2025-66627

Description

Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible.

Product(s) Impacted

Vendor	Product	Versions
Wasmi	Wasmi	0.41.0, 0.41.1, 0.42.0-0.47.1, 0.50.0-0.51.2, 1.0.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-416

Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	wasmi	wasmi	0.41.0	/	/	/	/	/	/	/
a	wasmi	wasmi	0.41.1	/	/	/	/	/	/	/
a	wasmi	wasmi	0.42.0-0.47.1	/	/	/	/	/	/	/
a	wasmi	wasmi	0.50.0-0.51.2	/	/	/	/	/	/	/
a	wasmi	wasmi	1.0.0	/	/	/	/	/	/	/

References

https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq

CVSS Score

8.4 / 10

CVSS Data - 3.1

Attack Vector: LOCAL
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

View Vector String

Timeline

Published: Dec. 9, 2025, 4:18 p.m.
Last Modified: Dec. 9, 2025, 6:36 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security-advisories@github.com

CVE-2025-66627