CVE-2024-51745

Name of the Vulnerable Software and Affected Versions Wasmtime versions prior to 24.0.2 Wasmtime versions prior to 25.0.3 Wasmtime versions prior to 26.0.1

Description The issue concerns Wasmtime's filesystem sandbox implementation on Windows, which fails to block access to special device filenames using superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. This allows untrusted Wasm programs to bypass the sandbox and access devices through these special filenames, potentially gaining access to peripheral devices connected to the computer or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial ports.

Recommendations For Wasmtime versions 23.0.x and prior, upgrade to one of the patched versions, such as 24.0.2, 25.0.3, or 26.0.1. As there are no known workarounds for this issue, affected Windows users are recommended to upgrade to a patched version.