CVE-2025-15413
π TL;DR
A memory corruption vulnerability in wasm3 up to version 0.5.0 allows local attackers to potentially execute arbitrary code or cause denial of service. The vulnerability affects the op_SetSlot_i32 and op_CallIndirect functions in m3_exec.h. Users of wasm3 libraries or applications embedding wasm3 are affected.
π» Affected Systems
- wasm3 WebAssembly interpreter
β οΈ Risk & Real-World Impact
Worst Case
Local privilege escalation leading to full system compromise or arbitrary code execution within the wasm3 runtime context.
Likely Case
Application crash (denial of service) or limited memory corruption affecting the specific wasm3 process.
If Mitigated
Contained process crash with no privilege escalation due to sandboxing or minimal permissions.
π― Exploit Status
Exploit requires local access to the system. Public exploit details are available in GitHub issues.
π οΈ Fix & Mitigation
β Official Fix
Patch Version: None (project unmaintained)
Vendor Advisory: https://github.com/wasm3/wasm3/issues/543
Restart Required: Yes
Instructions:
1. Check if your application uses wasm3. 2. Since no official patch exists, consider migrating to alternative WebAssembly runtimes like wasmtime or wamr. 3. If continuing with wasm3, implement strict input validation and sandboxing.
π§ Temporary Workarounds
Disable vulnerable opcodes
allModify wasm3 source to disable or restrict op_SetSlot_i32 and op_CallIndirect operations
Manual source code modification required - no simple command
Sandbox execution
linuxRun wasm3 in isolated containers or with minimal privileges
docker run --read-only --cap-drop=ALL -u nobody wasm3_app
chroot /jail /path/to/wasm3_app
π§― If You Can't Patch
- Implement strict input validation for all WebAssembly modules processed by wasm3
- Run wasm3 applications with minimal privileges (non-root users, reduced capabilities)
π How to Verify
Check if Vulnerable:
Check if wasm3 library version β€0.5.0 is linked to your application. Use: ldd /path/to/application | grep wasm3 or check build dependencies.Check Version:
strings /path/to/application | grep -i wasm3 || wasm3 --version 2>/dev/null || echo 'Check build configuration'Verify Fix Applied:
Verify wasm3 is no longer in use or has been replaced with alternative runtime. Test with known malicious WebAssembly modules.π‘ Detection & Monitoring
Log Indicators:
- Segmentation fault or memory corruption errors in application logs
- Unexpected process termination of wasm3-related applications
Network Indicators:
- None - local exploitation only
SIEM Query:
Process: (name="wasm3" OR cmdline="*wasm3*") AND Event: (Type="Process Crash" OR Type="Segmentation Fault")