CVE-2025-43853

Name of the Vulnerable Software and Affected Versions: WAMR versions up to and including 2.2.0 WAMR built with libc-uvwasi on Windows

Description: The issue is related to a symlink following vulnerability in the WebAssembly Micro Runtime (WAMR). On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on the host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content.

Recommendations: For WAMR versions up to and including 2.2.0, update to version 2.3.0 to fix the issue. For WAMR built with libc-uvwasi on Windows, update to a version that does not use libc-uvwasi or apply a patch that fixes the symlink following vulnerability. As a temporary workaround, consider restricting the use of the create flag when opening files to minimize the risk of exploitation.