Component Model Bug in Wasmtime Affects Multiple Versions
CVE-2025-62711

2.1LOW

Key Information:

Vendor

Bytecodealliance

Status
Wasmtime
Vendor
CVE Published:
24 October 2025

What is CVE-2025-62711?

A vulnerability exists in WebAssembly runtime Wasmtime, specifically in versions 38.0.0 to before 38.0.3. A bug in the implementation of component-model related host-to-Wasm trampolines allows for the crafting of components which, when invoked in a particular manner, can lead to a segmentation fault or assertion failure within the host environment. This issue has been addressed in Wasmtime version 38.0.3, which includes a patch for the identified fault, and no immediate workarounds are available.

Affected Version(s)

wasmtime >= 38.0.0, < 38.0.3

References

https://github.com/bytecodealliance/wasmtime/security/adv...
x_refsource_CONFIRM
https://github.com/bytecodealliance/wasmtime/pull/11592
x_refsource_MISC
https://github.com/bytecodealliance/wasmtime/commit/192f2...
x_refsource_MISC

CVSS V4

Score:
2.1
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.