Login Sign Up

CVE-2025-58749

5.3 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in WebAssembly Micro Runtime (WAMR) causes runtime hangs or crashes when executing WebAssembly programs with specific memory.fill instructions in LLVM-JIT mode. It affects users running WAMR versions prior to 2.4.2 with LLVM-JIT enabled. The issue does not impact FAST-JIT mode or other runtime tools.

💻 Affected Systems

Products:
  • WebAssembly Micro Runtime (WAMR)
Versions: All versions prior to 2.4.2
Operating Systems: All platforms running WAMR
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects LLVM-JIT mode; FAST-JIT mode and other runtime tools are not vulnerable.

📦 What is this software?

Webassembly Micro Runtime by Bytecodealliance

View all CVEs affecting Webassembly Micro Runtime →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service causing runtime unavailability for applications using WAMR in LLVM-JIT mode, potentially disrupting service continuity.

🟠

Likely Case

Runtime hangs or crashes when processing malicious or malformed WebAssembly modules containing the specific memory.fill instruction pattern.

🟢

If Mitigated

Minimal impact if using FAST-JIT mode or other runtime tools instead of LLVM-JIT mode.

🌐 Internet-Facing: MEDIUM - Applications exposed to untrusted WebAssembly modules could be DoS'd, but requires specific conditions.
🏢 Internal Only: LOW - Internal systems typically process trusted WebAssembly modules, reducing exploitation likelihood.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires ability to execute WebAssembly modules with specific memory.fill instruction patterns in LLVM-JIT mode.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.2

Vendor Advisory: https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-xj5p-r8jq-pw47

Restart Required: No

Instructions:

1. Update WAMR to version 2.4.2 or later. 2. Recompile any applications using WAMR with the updated version. 3. Replace existing WAMR installations with patched version.

🔧 Temporary Workarounds

Switch to FAST-JIT mode

all

Use FAST-JIT mode instead of LLVM-JIT mode as the vulnerability does not affect FAST-JIT.

Configure WAMR runtime to use FAST-JIT mode instead of LLVM-JIT mode

🧯 If You Can't Patch

  • Implement input validation to reject WebAssembly modules with memory.fill instructions having first operand >= 2GiB
  • Deploy runtime monitoring to detect and restart hung WAMR processes

🔍 How to Verify

Check if Vulnerable:

Check if WAMR version is below 2.4.2 and LLVM-JIT mode is enabled in configuration.

Check Version:

wamrc --version or check build configuration for version information

Verify Fix Applied:

Verify WAMR version is 2.4.2 or later and test with WebAssembly modules containing problematic memory.fill instructions.

📡 Detection & Monitoring

Log Indicators:

  • Runtime process hangs without completion
  • Crash logs mentioning invalid pointer access in debug builds
  • Abnormal termination of WAMR processes

Network Indicators:

  • Service unavailability for applications using WAMR

SIEM Query:

Process: (wamr OR wasm-micro-runtime) AND (Event: (hang OR crash OR abnormal_termination))

📊 Metadata

CVE ID: CVE-2025-58749
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-190
EPSS Score: 0.05% exploit probability (14.2th percentile)
Published: September 16, 2025
Last Updated: September 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58749, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)