CVE-2025-43853 is a high-severity vulnerability affecting the WebAssembly Micro Runtime (WAMR), specifically its iwasm package, which is an executable binary built with WAMR VMcore supporting the WebAssembly System Interface (WASI) and command line interface. The vulnerability exists in versions of WAMR up to and including 2.2.0, as well as WAMR built with libc-uvwasi on Windows platforms. It is a symbolic link (symlink) following vulnerability categorized under CWE-61. The issue arises when WAMR running on Windows allows the creation of symlinks that point outside of the preopened directory sandbox. If an attacker creates such a symlink and opens it with the create flag, WAMR will create or open files on the host system outside the intended sandbox boundaries. This can lead to unauthorized file creation or reading of existing host files, effectively breaking the sandbox isolation that WebAssembly environments rely on for security. The vulnerability does not require authentication or user interaction and can be exploited locally by an attacker with the ability to run or influence WebAssembly modules executed by WAMR on Windows. The vulnerability was fixed in version 2.3.0 of WAMR. The CVSS 4.0 score is 7.0 (high), reflecting the local attack vector, low attack complexity, no privileges or user interaction required, but with high confidentiality impact and limited integrity and availability impacts. No known exploits in the wild have been reported yet.

For European organizations, this vulnerability poses a significant risk particularly to those using WAMR for running WebAssembly workloads on Windows hosts. The ability to escape the sandbox and access or create files on the host system can lead to unauthorized data disclosure, data tampering, or persistence mechanisms for attackers. This can compromise sensitive information, intellectual property, or operational data. Organizations relying on WAMR in development, testing, or production environments may face risks of data breaches or integrity violations. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data access can lead to regulatory penalties and reputational damage. Additionally, organizations using WAMR in critical infrastructure or industrial control systems could face operational disruptions if attackers leverage this vulnerability to manipulate host files. Since exploitation requires local access, the threat is more relevant to insider threats, compromised internal systems, or supply chain attacks where malicious WebAssembly modules are introduced.

European organizations should immediately upgrade all WAMR deployments to version 2.3.0 or later, where the vulnerability is patched. For environments where immediate upgrade is not feasible, implement strict access controls to limit who can execute or deploy WebAssembly modules using WAMR, especially on Windows hosts. Employ application whitelisting and sandboxing at the OS level to restrict file system access beyond intended directories. Monitor file system activity for suspicious symlink creation or unexpected file operations outside of preopened directories. Conduct code reviews and security audits of WebAssembly modules to detect malicious or malformed modules attempting to exploit symlink traversal. Additionally, consider isolating WAMR workloads in dedicated virtual machines or containers with minimal privileges to reduce the blast radius of any exploitation. Finally, maintain up-to-date endpoint detection and response (EDR) solutions to detect anomalous behaviors related to file system access or privilege escalation attempts.