WebAssembly Runtime Vulnerability in Wasmtime by Bytecode Alliance
CVE-2025-53901

3.5LOW

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
18 July 2025

What is CVE-2025-53901?

A vulnerability in Wasmtime, a runtime for WebAssembly, allows a specially crafted call to fd_renumber to induce a panic in the host system when a subsequent file descriptor is opened. This can occur when the fd_renumber method is called with equal arguments or a previously-closed file descriptor number. While this issue does not compromise memory safety or allow breaches outside the WebAssembly sandbox, it does pose a denial-of-service risk for embedded WebAssembly applications. Notably, this affects the wasmtime-wasi crate and requires that the embedding provides access to create additional file descriptors. Users are advised to update to patched versions 24.0.4, 33.0.2, or 34.0.2 to mitigate the risk.

Affected Version(s)

wasmtime < 24.0.4 < 24.0.4

wasmtime >= 33.0.0, < 33.0.2 < 33.0.0, 33.0.2

wasmtime >= 34.0.0, < 34.0.2 < 34.0.0, 34.0.2

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://docs.wasmtime.dev/security-what-is-considered-a-s...
x_refsource_MISC
https://docs.wasmtime.dev/stability-release.html
x_refsource_MISC

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-53901 : WebAssembly Runtime Vulnerability in Wasmtime by Bytecode Alliance