CVE-2025-54126
📋 TL;DR
The WebAssembly Micro Runtime's iwasm package in versions 2.4.0 and below incorrectly handles IPv4 addresses without subnet masks in the --addr-pool parameter, causing the service to accept connections from all IP addresses instead of restricting access. This affects any deployment using iwasm with --addr-pool for IP-based access control, potentially exposing services to unauthorized external connections.
💻 Affected Systems
- WebAssembly Micro Runtime (WAMR) iwasm package
📦 What is this software?
Webassembly Micro Runtime by Bytecodealliance
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized attackers gain full access to exposed WebAssembly services, potentially leading to data exfiltration, service disruption, or further system compromise.
Likely Case
Services become unintentionally exposed to the internet or broader network segments, allowing unauthorized access that bypasses intended IP restrictions.
If Mitigated
With proper network segmentation and firewall rules, the impact is limited to the specific service instance, though access controls within the application remain bypassed.
🎯 Exploit Status
Exploitation requires network access to the vulnerable service and knowledge of the service endpoint. No authentication bypass needed beyond the IP restriction bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.1
Vendor Advisory: https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-vh64-mfvw-pxqp
Restart Required: Yes
Instructions:
1. Download WAMR version 2.4.1 or later from official repository. 2. Rebuild iwasm binary with the updated source. 3. Replace existing iwasm binary with the patched version. 4. Restart any services using iwasm.
🔧 Temporary Workarounds
Add subnet mask to --addr-pool
allEnsure all --addr-pool parameters include proper subnet masks (e.g., use 192.168.1.1/32 instead of 192.168.1.1)
iwasm --addr-pool=192.168.1.1/32 ...
Use firewall restrictions
linuxImplement network-level firewall rules to restrict access to iwasm services instead of relying on --addr-pool
iptables -A INPUT -p tcp --dport <port> -s <allowed_ip> -j ACCEPT
iptables -A INPUT -p tcp --dport <port> -j DROP
🧯 If You Can't Patch
- Implement strict network firewall rules to restrict access to iwasm services at the network perimeter
- Move vulnerable services behind VPN or authentication gateways to add additional access control layers
🔍 How to Verify
Check if Vulnerable:
Check if iwasm version is 2.4.0 or below and if --addr-pool is used without subnet masks in configuration/command lineCheck Version:
iwasm --versionVerify Fix Applied:
Verify iwasm version is 2.4.1 or later and test that --addr-pool with single IP (no mask) properly restricts access📡 Detection & Monitoring
Log Indicators:
- Connection attempts from IP addresses outside the intended --addr-pool range
- Successful connections from unexpected source IPs
Network Indicators:
- Network traffic to iwasm services from unauthorized IP ranges
- Port scans targeting iwasm service ports
SIEM Query:
source_ip NOT IN (allowed_ip_range) AND destination_port = (iwasm_port)