Memory Leak Vulnerabilities in Wasmtime Runtime for WebAssembly
CVE-2025-61670

1LOW

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
7 October 2025

What is CVE-2025-61670?

The Wasmtime runtime for WebAssembly has introduced memory leak vulnerabilities in its C/C++ API, specifically affecting versions 37.0.0 and 37.0.1. This issue arises from a regression due to a refactor in the OwnedRooted<T> type intended to simplify memory management but inadvertently left the C and C++ APIs susceptible to leaks when utilizing the anyref or externref types. As a result, certain bindings may not properly manage memory, leading to permanent leaks that are not resolved upon the destruction of the store. The problem has been addressed in version 37.0.2, which rectifies these flaws, ensuring that resources are correctly released and enhancing the stability of memory management in Wasmtime.

Affected Version(s)

wasmtime >= 37.0.0, < 37.0.2

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasmtime/commit/adff9...
x_refsource_MISC
https://github.com/bytecodealliance/wasmtime/releases/tag...
x_refsource_MISC

CVSS V4

Score:
1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61670 : Memory Leak Vulnerabilities in Wasmtime Runtime for WebAssembly