Nathaniel-Daniel

**Name of the Vulnerable Software and Affected Versions** cap-std versions prior to 3.4.1 cap-primitives versions prior to 3.4.1 cap-async-std versions prior to 3.4.1 **Description** The cap-std project's filesystem sandbox implementation on Windows has a flaw that allows untrusted filesystem paths to bypass the sandbox and access devices through special device filenames with superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. This can provide access to peripheral devices connected to the computer, or network resources mapped to those devices, including modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. **Recommendations** For cap-std versions prior to 3.4.1, upgrade to version 3.4.1 or later. For cap-primitives versions prior to 3.4.1, upgrade to version 3.4.1 or later. For cap-async-std versions prior to 3.4.1, upgrade to version 3.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Wasmtime versions prior to 24.0.2 Wasmtime versions prior to 25.0.3 Wasmtime versions prior to 26.0.1 **Description** The issue concerns Wasmtime's filesystem sandbox implementation on Windows, which fails to block access to special device filenames using superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. This allows untrusted Wasm programs to bypass the sandbox and access devices through these special filenames, potentially gaining access to peripheral devices connected to the computer or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports. **Recommendations** For Wasmtime versions 23.0.x and prior, upgrade to one of the patched versions, such as 24.0.2, 25.0.3, or 26.0.1. As there are no known workarounds for this issue, affected Windows users are recommended to upgrade to a patched version.