Login Sign Up

CVE-2025-66627

8.4 HIGH
Remote Code Execution

📋 TL;DR

CVE-2025-66627 is a use-after-free vulnerability in Wasmi's linear memory implementation that occurs under specific memory growth conditions. This allows attackers to potentially corrupt memory, disclose information, or execute arbitrary code. Affected systems include those running vulnerable versions of Wasmi WebAssembly interpreter in constrained or embedded environments.

💻 Affected Systems

Products:
  • Wasmi WebAssembly interpreter
Versions: 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2, 1.0.0
Operating Systems: All platforms running Wasmi
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires WebAssembly module execution with specific memory growth patterns

📦 What is this software?

Wasmi by Wasmi Labs

View all CVEs affecting Wasmi →

Wasmi by Wasmi Labs

View all CVEs affecting Wasmi →

Wasmi by Wasmi Labs

View all CVEs affecting Wasmi →

Wasmi by Wasmi Labs

View all CVEs affecting Wasmi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, or service disruption

🟠

Likely Case

Memory corruption leading to application crashes, denial of service, or limited information disclosure

🟢

If Mitigated

Controlled crashes or performance degradation with proper memory isolation and sandboxing

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious WebAssembly modules that trigger specific memory growth conditions

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.41.2, 0.47.1, 0.51.3, 1.0.1

Vendor Advisory: https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq

Restart Required: Yes

Instructions:

1. Identify current Wasmi version. 2. Update to patched version (0.41.2, 0.47.1, 0.51.3, or 1.0.1). 3. Restart affected services. 4. Recompile applications if statically linked.

🔧 Temporary Workarounds

Limit maximum linear memory sizes

all

Restrict WebAssembly module memory allocation to reduce attack surface

Configure Wasmi runtime to enforce memory limits via environment or configuration

🧯 If You Can't Patch

  • Implement strict WebAssembly module validation and sandboxing
  • Deploy network segmentation and restrict access to Wasmi services

🔍 How to Verify

Check if Vulnerable:

Check Wasmi version against affected versions list

Check Version:

wasmi --version or check package manager

Verify Fix Applied:

Confirm version is 0.41.2, 0.47.1, 0.51.3, or 1.0.1

📡 Detection & Monitoring

Log Indicators:

  • Unexpected memory allocation patterns
  • Application crashes with memory errors
  • Unusual WebAssembly module execution

Network Indicators:

  • Suspicious WebAssembly module uploads
  • Unusual traffic to Wasmi endpoints

SIEM Query:

source="wasmi" AND (event="memory_error" OR event="crash")

📊 Metadata

CVE ID: CVE-2025-66627
CVSS v3 Score: 8.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.02% exploit probability (3.8th percentile)
Published: December 9, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66627, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)