CVE-2024-28123 – This vulnerability in the WASMI WebAssembly int... (How to Fix)

Q: What is the severity of CVE-2024-28123?

CVE-2024-28123 has a CVSS score of 7.3 (HIGH). This vulnerability in the WASMI WebAssembly interpreter allows an out-of-bounds buffer write when the host calls or resumes a Wasm function with more than 128 parameters, exceeding the stack limit. This only affects calls from host to Wasm, not Wasm-to-Wasm calls. Systems using vulnerable versions of WASMI for WebAssembly execution in constrained/embedded environments are affected.

📋 TL;DR

This vulnerability in the WASMI WebAssembly interpreter allows an out-of-bounds buffer write when the host calls or resumes a Wasm function with more than 128 parameters, exceeding the stack limit. This only affects calls from host to Wasm, not Wasm-to-Wasm calls. Systems using vulnerable versions of WASMI for WebAssembly execution in constrained/embedded environments are affected.

💻 Affected Systems

Products:

WASMI (WebAssembly interpreter)

Versions: Versions before 0.31.1

Operating Systems: All operating systems using WASMI

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects calls from host to Wasm functions, not Wasm-to-Wasm calls. Embedded/constrained systems using WASMI are particularly vulnerable.

📦 What is this software?

Wasmi by Wasmi Labs

View all CVEs affecting Wasmi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Arbitrary code execution leading to complete system compromise, data corruption, or denial of service in affected systems.

🟠

Likely Case

Application crashes, denial of service, or potential memory corruption leading to unstable behavior.

🟢

If Mitigated

Limited impact with proper input validation and parameter limits in place before calls to WASMI.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions (host-to-Wasm calls with >128 parameters) but could be triggered by malicious inputs.

🏢 Internal Only: MEDIUM - Similar risk profile, though attack surface may be more limited in internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the ability to trigger host-to-Wasm calls with excessive parameters. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.31.1

Vendor Advisory: https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq

Restart Required: Yes

Instructions:

1. Update WASMI to version 0.31.1 or later. 2. Rebuild any applications using WASMI. 3. Restart affected services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Parameter validation

all

Implement input validation to ensure host-to-Wasm calls never exceed 128 parameters

Implement parameter count checks in host code before calling WASMI functions

Limit host capabilities

all

Restrict host environments from making direct calls to Wasm functions with variable parameters

Implement wrapper functions that validate parameter counts

🧯 If You Can't Patch

Implement strict input validation to ensure no host-to-Wasm calls exceed 128 parameters
Isolate WASMI usage in sandboxed environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check WASMI version in your project dependencies or installed packages. If version is <0.31.1, you are vulnerable.

Check Version:

Check package manifest (Cargo.toml for Rust) or run: wasmi --version if available

Verify Fix Applied:

Confirm WASMI version is 0.31.1 or later and test host-to-Wasm calls with various parameter counts.

📡 Detection & Monitoring

Log Indicators:

Application crashes
Memory access violation errors
Stack overflow warnings
Unexpected termination of WASMI processes

Network Indicators:

Unusual traffic patterns to services using WASMI
Increased error rates in WebAssembly-related services

SIEM Query:

Search for: (process_name:"wasmi" OR process_name:"*wasm*") AND (event_type:"crash" OR event_type:"memory_violation" OR error_code:"SIGSEGV")

📊 Metadata

CVE ID: CVE-2024-28123

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-787

Published: March 21, 2024

Last Updated: June 2, 2025

🔗 References

https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f Patch
https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1 Release Notes
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq Vendor Advisory
https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f Patch
https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1 Release Notes
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28123, you might also want to check these: