CVE-2025-43853

The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content. Version 2.3.0 fixes the issue.

CVSS

No CVSS.

References

Link	Resource
https://github.com/bytecodealliance/wasm-micro-runtime/commit/28702edaf739cdeee54e81efe5868bf00724c33c
https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-8fc8-4g25-c8m7

Configurations

No configuration.

History

16 May 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) El paquete iwasm de WebAssembly Micro Runtime (WAMR) es el binario ejecutable compilado con WAMR VMcore, compatible con la Interfaz del Sistema WebAssembly (WASI) y la interfaz de línea de comandos. Cualquier usuario de WAMR (hasta la versión 2.2.0 incluida) o compilado con libc-uvwasi en Windows se ve afectado por una vulnerabilidad de enlace simbólico. En WAMR en Windows, al crear un enlace simbólico que apunte fuera del directorio preabierto y abrirlo posteriormente con el indicador de creación, se creará un archivo en el host fuera del entorno de pruebas. Si el enlace simbólico apunta a un archivo del host existente, también es posible abrirlo y leer su contenido. La versión 2.3.0 soluciona el problema.

15 May 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-15 18:15

Updated : 2025-05-16 14:43

NVD link : CVE-2025-43853

Mitre link : CVE-2025-43853

CVE.ORG link : CVE-2025-43853

JSON object : View

Products Affected

No product.

CWE

CWE-61

UNIX Symbolic Link (Symlink) Following

{"id": "CVE-2025-43853", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.0, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-15T18:15:37.760", "references": [{"url": "https://github.com/bytecodealliance/wasm-micro-runtime/commit/28702edaf739cdeee54e81efe5868bf00724c33c", "source": "security-advisories@github.com"}, {"url": "https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-8fc8-4g25-c8m7", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-61"}]}], "descriptions": [{"lang": "en", "value": "The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content. Version 2.3.0 fixes the issue."}, {"lang": "es", "value": "El paquete iwasm de WebAssembly Micro Runtime (WAMR) es el binario ejecutable compilado con WAMR VMcore, compatible con la Interfaz del Sistema WebAssembly (WASI) y la interfaz de l\u00ednea de comandos. Cualquier usuario de WAMR (hasta la versi\u00f3n 2.2.0 incluida) o compilado con libc-uvwasi en Windows se ve afectado por una vulnerabilidad de enlace simb\u00f3lico. En WAMR en Windows, al crear un enlace simb\u00f3lico que apunte fuera del directorio preabierto y abrirlo posteriormente con el indicador de creaci\u00f3n, se crear\u00e1 un archivo en el host fuera del entorno de pruebas. Si el enlace simb\u00f3lico apunta a un archivo del host existente, tambi\u00e9n es posible abrirlo y leer su contenido. La versi\u00f3n 2.3.0 soluciona el problema."}], "lastModified": "2025-05-16T14:43:26.160", "sourceIdentifier": "security-advisories@github.com"}