WebAssembly Micro Runtime Vulnerability in WAMR's iwasm Package
CVE-2025-54126

6.9MEDIUM

Key Information:

Vendor

Bytecodealliance

Status
Wasm-micro-runtime
Vendor
CVE Published:
29 July 2025

What is CVE-2025-54126?

The iwasm package in the WebAssembly Micro Runtime (WAMR) improperly manages IP address settings by using the --addr-pool option without a subnet mask in versions 2.4.0 and below. This misconfiguration can inadvertently permit all incoming connections, effectively nullifying intended access restrictions. As a result, services that depend on this configuration may become vulnerable to unauthorized access, particularly in production environments where there is an assumption of default secure settings. A fix is available in version 2.4.1.

Affected Version(s)

wasm-micro-runtime < 2.4.1

References

https://github.com/bytecodealliance/wasm-micro-runtime/se...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasm-micro-runtime/co...
x_refsource_MISC
https://github.com/bytecodealliance/wasm-micro-runtime/re...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-54126 : WebAssembly Micro Runtime Vulnerability in WAMR's iwasm Package