Plattform
other
Komponente
wabt
Behoben in
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
1.0.35
1.0.36
1.0.37
1.0.38
CVE-2025-6273 describes a problematic assertion vulnerability discovered in the WebAssembly Binary Toolkit (wabt) versions 1.0.0 through 1.0.37. This issue, located within the LogOpcode function of the binary-reader-objdump.cc file, could potentially lead to a reachable assertion if an attacker gains local access. The vulnerability has been publicly disclosed, although maintainers suggest its impact on typical wasm programs may be limited. A patch is available in version 1.0.38.
The vulnerability lies in the LogOpcode function, which is responsible for processing WebAssembly bytecode. A malicious actor with local access could craft specific input that triggers an assertion failure within this function. While the maintainers express doubt about the vulnerability's impact on 'real-world wasm programs,' a reachable assertion could still lead to program instability or denial of service. The potential for exploitation depends heavily on the specific wasm binaries being processed and the environment in which wabt is running. The assertion failure could expose internal state or lead to unexpected behavior, though the exact consequences remain uncertain.
CVE-2025-6273 was publicly disclosed on 2025-06-19. While a proof-of-concept has been released, the maintainers have questioned its applicability to real-world scenarios. The EPSS score is pending evaluation. The vulnerability requires local access, limiting the potential for remote exploitation. The description indicates doubt regarding the vulnerability's impact, suggesting a low probability of widespread exploitation.
Systems utilizing older versions of the WebAssembly Binary Toolkit (wabt) are at risk, particularly those where local access is not strictly controlled. Developers and users who process untrusted WebAssembly binaries with wabt should be aware of this vulnerability, even if the maintainers consider its impact limited.
disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-6273 is to upgrade to version 1.0.38 or later of the WebAssembly Binary Toolkit. If upgrading is not immediately feasible, consider restricting local access to systems running wabt to prevent potential exploitation. While a direct WAF rule is unlikely to be effective due to the nature of the vulnerability, carefully reviewing and sanitizing any input processed by wabt can help reduce the risk. There are no specific Sigma or YARA rules available for this vulnerability at this time due to its uncertain impact.
Aktualisieren Sie auf eine Version nach 1.0.9 von wabt, falls verfügbar, um die Vulnerabilität zu mindern. Wenn keine korrigierte Version verfügbar ist, sollten Sie in Erwägung ziehen, den Quellcode manuell zu patchen oder die Verwendung der Funktion LogOpcode in src/binary-reader-objdump.cc zu vermeiden, bis eine offizielle Lösung veröffentlicht wird. Beachten Sie, dass die Ausnutzung lokalen Zugriff erfordert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6273 is a LOW severity vulnerability in wabt versions 1.0.0–1.0.37 affecting the LogOpcode function, potentially leading to a reachable assertion with local access.
If you are using wabt versions 1.0.0 through 1.0.37, you are potentially affected. Assess your local access controls and consider the criticality of the wasm binaries you process.
Upgrade to version 1.0.38 or later of the WebAssembly Binary Toolkit. Restrict local access if immediate upgrading is not possible.
While a proof-of-concept exists, active exploitation is not confirmed. The maintainers question the vulnerability's impact on real-world programs, suggesting a low probability of exploitation.
Refer to the official WebAssembly Binary Toolkit project website and security advisories for the most up-to-date information regarding CVE-2025-6273.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.