CVE-2025-53901

Name of the Vulnerable Software and Affected Versions Wasmtime versions 24.0.0 through 24.0.3 Wasmtime versions 33.0.0 through 33.0.1 Wasmtime versions 34.0.0 through 34.0.1

Description Wasmtime is a runtime for WebAssembly. A bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The issue is triggered by calling path open after calling fd renumber with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The resulting corrupt state leads to a panic when opening a file descriptor. This panic is considered a denial-of-service vector for WebAssembly embedders. This bug does not affect WASIp2 and embedders using components.

Recommendations Update to Wasmtime version 24.0.4. Update to Wasmtime version 33.0.2. Update to Wasmtime version 34.0.2.