Platform
other
Component
wabt
Fixed in
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.0.13
1.0.14
1.0.15
1.0.16
1.0.17
1.0.18
1.0.19
1.0.20
1.0.21
1.0.22
1.0.23
1.0.24
1.0.25
1.0.26
1.0.27
1.0.28
1.0.29
1.0.30
1.0.31
1.0.32
1.0.33
1.0.34
1.0.35
1.0.36
1.0.37
1.0.38
CVE-2025-6275 describes a Use-After-Free vulnerability discovered in WebAssembly wabt, affecting versions from 1.0.0 through 1.0.37. This flaw resides within the GetFuncOffset function of the binary-reader-interp.cc file, potentially allowing for memory corruption. A fix is available in version 1.0.38, and the vulnerability has been publicly disclosed.
The Use-After-Free vulnerability in wabt allows an attacker to potentially trigger memory corruption. While the maintainer disputed a similar report, the potential for exploitation exists, particularly in scenarios where wabt is used to process untrusted WebAssembly modules. Successful exploitation could lead to denial-of-service (DoS) by crashing the wabt process or, in more complex scenarios, potentially allow for arbitrary code execution depending on the broader system context and how wabt is integrated. The impact is amplified if wabt is used in a critical infrastructure component or a system handling sensitive data.
CVE-2025-6275 was publicly disclosed on 2025-06-19. While a public proof-of-concept is currently unavailable, the vulnerability's disclosure and the potential for memory corruption raise concerns. The maintainer's previous dispute regarding a similar issue suggests the possibility of further scrutiny and potential re-evaluation of the vulnerability's severity and exploitability. The EPSS score is pending evaluation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-6275 is to upgrade to WebAssembly wabt version 1.0.38 or later. If upgrading is not immediately feasible, consider isolating wabt processes to limit the blast radius of a potential exploit. While a direct WAF rule is unlikely, monitoring wabt process behavior for unexpected memory access patterns could provide early detection. Review any custom WebAssembly modules processed by wabt for potential vulnerabilities that could be exploited in conjunction with this flaw.
Update the WebAssembly wabt library to a version later than 1.0.9, if available, to fix the use-after-free vulnerability. Monitor discussions regarding the validity of this CVE, as it may be disputed. Refer to the release notes for more details about the fix.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-6275 is a Use-After-Free vulnerability affecting WebAssembly wabt versions 1.0.0–1.0.37. It allows for potential memory corruption when processing WebAssembly modules.
If you are using WebAssembly wabt versions 1.0.0 through 1.0.37, you are potentially affected by this vulnerability. Check your installed version and upgrade if necessary.
Upgrade to WebAssembly wabt version 1.0.38 or later to remediate the vulnerability. If immediate upgrade is not possible, consider isolating wabt processes.
While no public exploit is currently available, the vulnerability has been disclosed and may be exploited. Monitor your systems for suspicious activity.
Refer to the official WebAssembly project website and security advisories for the most up-to-date information regarding CVE-2025-6275.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.