CVE-2025-62711
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-62711
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62711.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-62711
- Aliases
- Downstream
- Published
- 2025-10-24T21:54:52.578Z
- Modified
- 2025-12-05T10:21:33.911126Z
- Severity
-
- 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator
- Summary
- Wasmtime vulnerable to segfault when using component resources
- Details
-
Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62711.json", "cwe_ids": [ "CWE-755" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62711.json
- https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5
- https://github.com/bytecodealliance/wasmtime/pull/11592
- https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-4h67-722j-5pmc
- https://nvd.nist.gov/vuln/detail/CVE-2025-62711
Affected packages
Git / github.com/bytecodealliance/wasmtime
Affected ranges
- Type
- GIT
- Repo
- https://github.com/bytecodealliance/wasmtime
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
cranelift-v0.*
cranelift-v0.60.0
cranelift-v0.61.0
cranelift-v0.69.0
filecheck-v0.*
filecheck-v0.0.1
v0.*
v0.12.0
v0.16.0
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.22.0
v0.23.0
v0.24.0
v0.25.0
v0.26.0
v0.27.0
v0.28.0
v0.29.0
v0.30.0
v0.31.0
v0.32.0
v0.33.0
v0.34.0
v0.35.0
Database specific
vanir_signatures
[
{
"target": {
"function": "(wasmtime_setjmp)",
"file": "crates/wasmtime/src/runtime/vm/helpers.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-0ff92084",
"digest": {
"function_hash": "19988293854788395982202002196590882194",
"length": 240.0
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Function"
},
{
"target": {
"file": "examples/min-platform/embedding/wasmtime-platform.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-2c10c6e3",
"digest": {
"threshold": 0.9,
"line_hashes": [
"320461689507052786631748604177733157765",
"129713182100822095831941336678389151807",
"135008703020829078469550841728039179382",
"242588917796571132987981325519063059021",
"220548460204704248646570880819991509546",
"192274431200721004198110150685316496217",
"205698434121273434710212462175931520952",
"21647253845594470838432997512379228665",
"42819662355649581301015241667545344042",
"259848323271464576292716597871495042384",
"41763544500026618408032754588755993180",
"47431928407414670950988085738090707758",
"114601743435956389243871920090586137690",
"209509310919912275926163997657173837523",
"49182335569707449499125210205458681892",
"197022405387284171832683725473597430157",
"32489737805102307873503448533887552673",
"168487058308430327796734493376358624492"
]
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Line"
},
{
"target": {
"function": "(wasmtime_longjmp)",
"file": "crates/wasmtime/src/runtime/vm/helpers.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-4bf32ae6",
"digest": {
"function_hash": "30406086875223130756315384995816610665",
"length": 107.0
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Function"
},
{
"target": {
"function": "wasmtime_longjmp",
"file": "examples/min-platform/embedding/wasmtime-platform.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-53de11ea",
"digest": {
"function_hash": "53746378556404952355914164607598158060",
"length": 81.0
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Function"
},
{
"target": {
"function": "wasmtime_setjmp",
"file": "examples/min-platform/embedding/wasmtime-platform.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-9d3dd51b",
"digest": {
"function_hash": "221206169834701962829278536890721469332",
"length": 243.0
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Function"
},
{
"target": {
"file": "crates/wasmtime/src/runtime/vm/helpers.c"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-ad3624c5",
"digest": {
"threshold": 0.9,
"line_hashes": [
"294154231150210474978541182050428603239",
"200836222701379322441198676786933938194",
"120580616603937234860495406833807964199",
"51375057604087007270362686149753376351",
"38027088651916841052995392320229208854",
"336331852822341144984671685992392169487",
"327459593604659799523233811461651844166",
"50607481742766384598448196824062521237",
"23594053023768899251490258033715500492",
"82366568139973798657233823607124979712",
"292986352699974277574950497349998055815",
"213057500470305182878223676239643167846",
"49489095054368947827834904598927417632",
"338530635810813204577162459784001746328",
"161332504838025984401646720002119762290",
"34580822521013564912639280926266145992",
"158246336953975086540678522443774084351",
"287573046592136569423872132660214550564",
"2363585950538417467635701356999332556",
"305683707983509241242824595013967371362",
"307459851683717091537913597465247600559",
"250338552224688271081826170675202564477",
"155196582604528323176489379128552777106",
"100628221161139091212470013294594839501",
"93172383823350330817133107149437596254",
"197582381757464389650356566995942344285",
"304365133270222908283991178547237763076",
"316238695817932740674954838941694293596"
]
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Line"
},
{
"target": {
"file": "examples/min-platform/embedding/wasmtime-platform.h"
},
"deprecated": false,
"signature_version": "v1",
"id": "CVE-2025-62711-e7da3503",
"digest": {
"threshold": 0.9,
"line_hashes": [
"83751466684426646756324518243437355532",
"113341841991189725003934845090179689493",
"185549466577730674964337849434939601328",
"198566320827539385302167844826176483375",
"147789037828865677333201039265640083078",
"32592509839538836575957452029435092375",
"286652786685731189669285280342267001592",
"255301730825943623215430589633105056089",
"282525795152145140470552725508523805275",
"87730097899322415670228277819021702717",
"256658522871873163137035193299168848554"
]
},
"source": "https://github.com/bytecodealliance/wasmtime/commit/192f2fcdadfec9d0cf6b58548a85a7307450cbf5",
"signature_type": "Line"
}
]