CVE-2025-54126 is a medium-severity vulnerability affecting the WebAssembly Micro Runtime (WAMR), specifically its iwasm executable binary component. iwasm is built with the WAMR VMcore and supports the WebAssembly System Interface (WASI) along with a command line interface. The vulnerability exists in versions 2.4.0 and earlier, where the --addr-pool parameter accepts an IPv4 address without a subnet mask. This configuration flaw causes the system to interpret the address as allowing all incoming IP connections, effectively bypassing intended IP-based access restrictions. Consequently, services relying on --addr-pool to restrict access by IP address may unintentionally expose themselves to all external connections. This exposure can lead to unauthorized access to the service, particularly in production environments where users assume that specifying an IP address without a subnet mask defaults to a secure configuration. The root cause is classified under CWE-668, which relates to the exposure of resources to an incorrect sphere, meaning the resource is accessible beyond its intended scope. The issue was addressed and fixed in version 2.4.1 of wasm-micro-runtime. The CVSS 4.0 base score is 6.9, reflecting a network attack vector with low complexity, no privileges or user interaction required, and limited impact on confidentiality but no impact on integrity or availability. No known exploits are currently reported in the wild.

For European organizations using wasm-micro-runtime versions prior to 2.4.1, this vulnerability could lead to unauthorized external access to services that were presumed to be restricted by IP address. This exposure risks leakage of sensitive data or unauthorized use of the service, potentially leading to further exploitation or lateral movement within networks. Given the increasing adoption of WebAssembly runtimes in cloud-native, edge computing, and IoT environments, the vulnerability could impact sectors such as finance, healthcare, telecommunications, and critical infrastructure in Europe. Unauthorized access could undermine confidentiality and trust, and in regulated industries, may lead to compliance violations (e.g., GDPR) if personal data is exposed. The lack of requirement for authentication or user interaction makes exploitation easier for remote attackers scanning for vulnerable endpoints. However, the limited impact on integrity and availability reduces the likelihood of destructive attacks but does not eliminate the risk of data exposure or misuse.

European organizations should immediately audit their deployments of wasm-micro-runtime, specifically the iwasm component, to identify versions below 2.4.1. They should upgrade all affected instances to version 2.4.1 or later, where the vulnerability is fixed. Until upgrades can be performed, organizations should avoid using the --addr-pool parameter without explicitly specifying a subnet mask to ensure proper IP filtering. Network-level controls such as firewall rules and intrusion prevention systems should be configured to restrict access to the affected services to trusted IP ranges. Additionally, organizations should implement monitoring and logging of access attempts to detect any unauthorized connection attempts. Security teams should review configuration management and deployment pipelines to prevent insecure defaults from being propagated. Finally, penetration testing and vulnerability scanning should include checks for this specific misconfiguration to proactively identify exposure.