CVE-2025-54126 is a medium-severity vulnerability affecting the WebAssembly Micro Runtime (WAMR), specifically its iwasm executable binary component. WAMR is a lightweight WebAssembly runtime that supports the WebAssembly System Interface (WASI) and command line interface, enabling execution of WebAssembly modules in various environments. The vulnerability exists in versions 2.4.0 and earlier, where the iwasm component uses the --addr-pool parameter with an IPv4 address that lacks a subnet mask. This configuration flaw causes the system to accept connections from all IP addresses rather than restricting access to a specific IP range as intended. The absence of a subnet mask means that the access control mechanism is effectively bypassed, exposing the service to all incoming network connections. This exposure can lead to unauthorized access to services that rely on --addr-pool for IP-based access control, especially in production deployments where administrators may incorrectly assume that specifying an IP address without a subnet mask is secure by default. The vulnerability is categorized under CWE-668 (Exposure of Resource to Wrong Sphere), indicating improper access control boundaries. The issue is resolved in WAMR version 2.4.1, where the handling of --addr-pool has been corrected to enforce proper subnet masking and restrict access as configured. The CVSS 4.0 base score is 6.9 (medium severity), reflecting network exploitable conditions without authentication or user interaction, but with limited impact on confidentiality, integrity, or availability. No known exploits are reported in the wild as of the publication date.

For European organizations deploying WAMR, especially those using the iwasm component in production environments, this vulnerability poses a risk of unauthorized external access to services that were intended to be restricted by IP address. This could lead to exposure of sensitive internal WebAssembly workloads or services, potentially allowing attackers to execute unauthorized code or access data. The impact is particularly relevant for sectors relying on WebAssembly for edge computing, IoT gateways, or cloud-native applications, where WAMR is used to run lightweight, sandboxed modules. Unauthorized access could undermine confidentiality and operational security, though the vulnerability does not directly enable privilege escalation or code execution beyond the exposed service. European organizations with strict data protection requirements (e.g., GDPR) must consider the risk of data exposure or breach resulting from this vulnerability. Additionally, the inadvertent exposure could serve as a foothold for further attacks if combined with other vulnerabilities. The medium severity rating suggests a moderate risk, but the ease of exploitation (no authentication or user interaction required) increases the urgency of remediation in sensitive environments.

European organizations should promptly upgrade WAMR to version 2.4.1 or later, where the vulnerability is fixed by enforcing proper subnet mask handling in the --addr-pool parameter. Until upgrade is possible, organizations should avoid using the --addr-pool option without explicitly specifying a subnet mask to ensure access restrictions are correctly applied. Network-level controls such as firewalls and intrusion prevention systems should be configured to restrict access to the iwasm service only to trusted IP ranges, effectively compensating for the runtime's misconfiguration. Conduct thorough audits of deployment configurations to identify any instances where --addr-pool is used without subnet masks and remediate accordingly. Monitoring network traffic for unexpected connections to the iwasm service can help detect potential exploitation attempts. Additionally, organizations should implement strict network segmentation to isolate WebAssembly runtime environments from public or untrusted networks. Incorporating vulnerability scanning and configuration management tools that check for this specific misconfiguration can prevent recurrence. Finally, ensure that incident response plans include procedures for addressing unauthorized access incidents related to this vulnerability.