CVE-2025-15412

Summary

A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.

Affected Software

VendorProductVersion RangeStatus
WebAssemblywabt1.0.0affected
WebAssemblywabt1.0.1affected
WebAssemblywabt1.0.2affected
WebAssemblywabt1.0.3affected
WebAssemblywabt1.0.4affected
WebAssemblywabt1.0.5affected
WebAssemblywabt1.0.6affected
WebAssemblywabt1.0.7affected
WebAssemblywabt1.0.8affected
WebAssemblywabt1.0.9affected
WebAssemblywabt1.0.10affected
WebAssemblywabt1.0.11affected
WebAssemblywabt1.0.12affected
WebAssemblywabt1.0.13affected
WebAssemblywabt1.0.14affected
WebAssemblywabt1.0.15affected
WebAssemblywabt1.0.16affected
WebAssemblywabt1.0.17affected
WebAssemblywabt1.0.18affected
WebAssemblywabt1.0.19affected
WebAssemblywabt1.0.20affected
WebAssemblywabt1.0.21affected
WebAssemblywabt1.0.22affected
WebAssemblywabt1.0.23affected
WebAssemblywabt1.0.24affected
WebAssemblywabt1.0.25affected
WebAssemblywabt1.0.26affected
WebAssemblywabt1.0.27affected
WebAssemblywabt1.0.28affected
WebAssemblywabt1.0.29affected
WebAssemblywabt1.0.30affected
WebAssemblywabt1.0.31affected
WebAssemblywabt1.0.32affected
WebAssemblywabt1.0.33affected
WebAssemblywabt1.0.34affected
WebAssemblywabt1.0.35affected
WebAssemblywabt1.0.36affected
WebAssemblywabt1.0.37affected
WebAssemblywabt1.0.38affected
WebAssemblywabt1.0.39affected

Weaknesses

  • CWE-125: Out-of-Bounds Read
  • CWE-119: Memory Corruption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References