CVE-2025-61670

Name of the Vulnerable Software and Affected Versions Wasmtime versions 37.0.0 through 37.0.1

Description Wasmtime, a runtime for WebAssembly, contains memory leaks within its C/C++ API when utilizing bindings for anyref or externref WebAssembly values. This issue stems from a regression introduced during the development of version 37.0.0, specifically related to a refactoring from ManuallyRooted<T> to OwnedRooted<T> in Rust. The C and C++ APIs were not fully updated to reflect the new ownership semantics of OwnedRooted<T>, leading to memory leaks. Specifically, a typo in the wasmtime val unroot function prevented proper unrooting, and host-defined functions returning wasmtime {externref,anyref} t values were never unrooted. The C++ API lacked destructors on relevant types, further contributing to the issue. These leaks occur when anyref or externref are used in the C/C++ API, and the wasmtime Rust crate is not affected.

Recommendations Update to Wasmtime version 37.0.2 or later to address the memory leaks in the C/C++ API. Avoid using externref and anyref in the C/C++ API of Wasmtime if updating is not immediately possible.