CVE-2025-53901: CWE-672: Operation on a Resource after Expiration or Release in bytecodealliance wasmtime
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
AI Analysis
Technical Summary
CVE-2025-53901 is a vulnerability identified in the Wasmtime runtime for WebAssembly, specifically affecting versions prior to 24.0.4, 33.0.2, and 34.0.2. Wasmtime implements WASIp1 import functions through its wasmtime-wasi crate. The vulnerability arises from improper handling of file descriptor operations, specifically when a WebAssembly guest calls the `fd_renumber` function with either two identical arguments or when the second argument matches a previously closed file descriptor number. This misuse corrupts the internal state of Wasmtime's file descriptor management. Subsequently, invoking `path_open` to open a new file descriptor triggers a panic in the host runtime due to this corrupted state. Although this panic causes a denial-of-service (DoS) condition by crashing the host, it does not lead to memory corruption, heap corruption, or sandbox escape, preserving the integrity and confidentiality of the host system. The vulnerability requires the attacker to have the ability to execute a crafted sequence of WASI calls, including `fd_renumber` and `path_open`, which is possible only if the WebAssembly guest has access to preopened directories—a common scenario in many Wasmtime embeddings. Notably, this issue does not affect WASIp2 or embedders using components, nor those that restrict guest capabilities to open new file descriptors. There is no known workaround other than upgrading to patched versions 24.0.4, 33.0.2, or 34.0.2. The CVSS v3.1 base score is 3.5 (low severity), reflecting the limited impact (denial of service only), network attack vector, low attack complexity, requirement for privileges (PR:L), and user interaction (UI:R). No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the primary impact of CVE-2025-53901 is a potential denial-of-service condition in applications or services embedding Wasmtime to run WebAssembly workloads. This could disrupt critical services relying on WebAssembly for sandboxed execution, such as serverless platforms, edge computing nodes, or embedded systems that utilize Wasmtime for extensibility or plugin architectures. While the vulnerability does not compromise data confidentiality or integrity, repeated or targeted exploitation could degrade service availability, leading to operational interruptions and potential financial or reputational damage. Organizations deploying Wasmtime in multi-tenant environments or exposed to untrusted WebAssembly modules are at higher risk. Given the growing adoption of WebAssembly in cloud-native and edge environments across Europe, especially in sectors like finance, telecommunications, and manufacturing, this vulnerability could affect service reliability if unpatched. However, the requirement for specific guest capabilities and the absence of memory corruption limit the scope of impact to denial-of-service scenarios only.
Mitigation Recommendations
The definitive mitigation is to upgrade all Wasmtime deployments to the patched versions 24.0.4, 33.0.2, or 34.0.2 as appropriate. Organizations should audit their use of Wasmtime to identify embeddings that expose WASIp1 interfaces with preopened directories allowing file descriptor creation. Where upgrading is temporarily not feasible, consider restricting guest capabilities to prevent opening new file descriptors or disable the use of `fd_renumber` if possible. Embedders using WASIp2 or component-based embeddings are not affected and should verify their configurations accordingly. Additionally, implement runtime monitoring to detect abnormal panics or crashes in Wasmtime hosts, enabling rapid incident response. Incorporate WebAssembly module validation and sandboxing best practices to limit the ability of untrusted modules to invoke problematic sequences. Finally, maintain up-to-date inventories of Wasmtime versions in use and integrate vulnerability scanning into CI/CD pipelines to ensure timely patch application.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland
CVE-2025-53901: CWE-672: Operation on a Resource after Expiration or Release in bytecodealliance wasmtime
Description
Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host.
AI-Powered Analysis
Technical Analysis
CVE-2025-53901 is a vulnerability identified in the Wasmtime runtime for WebAssembly, specifically affecting versions prior to 24.0.4, 33.0.2, and 34.0.2. Wasmtime implements WASIp1 import functions through its wasmtime-wasi crate. The vulnerability arises from improper handling of file descriptor operations, specifically when a WebAssembly guest calls the `fd_renumber` function with either two identical arguments or when the second argument matches a previously closed file descriptor number. This misuse corrupts the internal state of Wasmtime's file descriptor management. Subsequently, invoking `path_open` to open a new file descriptor triggers a panic in the host runtime due to this corrupted state. Although this panic causes a denial-of-service (DoS) condition by crashing the host, it does not lead to memory corruption, heap corruption, or sandbox escape, preserving the integrity and confidentiality of the host system. The vulnerability requires the attacker to have the ability to execute a crafted sequence of WASI calls, including `fd_renumber` and `path_open`, which is possible only if the WebAssembly guest has access to preopened directories—a common scenario in many Wasmtime embeddings. Notably, this issue does not affect WASIp2 or embedders using components, nor those that restrict guest capabilities to open new file descriptors. There is no known workaround other than upgrading to patched versions 24.0.4, 33.0.2, or 34.0.2. The CVSS v3.1 base score is 3.5 (low severity), reflecting the limited impact (denial of service only), network attack vector, low attack complexity, requirement for privileges (PR:L), and user interaction (UI:R). No known exploits are reported in the wild as of publication.
Potential Impact
For European organizations, the primary impact of CVE-2025-53901 is a potential denial-of-service condition in applications or services embedding Wasmtime to run WebAssembly workloads. This could disrupt critical services relying on WebAssembly for sandboxed execution, such as serverless platforms, edge computing nodes, or embedded systems that utilize Wasmtime for extensibility or plugin architectures. While the vulnerability does not compromise data confidentiality or integrity, repeated or targeted exploitation could degrade service availability, leading to operational interruptions and potential financial or reputational damage. Organizations deploying Wasmtime in multi-tenant environments or exposed to untrusted WebAssembly modules are at higher risk. Given the growing adoption of WebAssembly in cloud-native and edge environments across Europe, especially in sectors like finance, telecommunications, and manufacturing, this vulnerability could affect service reliability if unpatched. However, the requirement for specific guest capabilities and the absence of memory corruption limit the scope of impact to denial-of-service scenarios only.
Mitigation Recommendations
The definitive mitigation is to upgrade all Wasmtime deployments to the patched versions 24.0.4, 33.0.2, or 34.0.2 as appropriate. Organizations should audit their use of Wasmtime to identify embeddings that expose WASIp1 interfaces with preopened directories allowing file descriptor creation. Where upgrading is temporarily not feasible, consider restricting guest capabilities to prevent opening new file descriptors or disable the use of `fd_renumber` if possible. Embedders using WASIp2 or component-based embeddings are not affected and should verify their configurations accordingly. Additionally, implement runtime monitoring to detect abnormal panics or crashes in Wasmtime hosts, enabling rapid incident response. Incorporate WebAssembly module validation and sandboxing best practices to limit the ability of untrusted modules to invoke problematic sequences. Finally, maintain up-to-date inventories of Wasmtime versions in use and integrate vulnerability scanning into CI/CD pipelines to ensure timely patch application.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-11T19:05:23.826Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 687a84eba83201eaacf54f2b
Added to database: 7/18/2025, 5:31:23 PM
Last enriched: 7/18/2025, 5:46:29 PM
Last updated: 8/12/2025, 3:16:37 PM
Views: 26
Related Threats
CVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumCVE-2025-55710: CWE-201 Insertion of Sensitive Information Into Sent Data in Steve Burge TaxoPress
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.