GHSA-9ghp-w2hm-vfpf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9ghp-w2hm-vfpf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-9ghp-w2hm-vfpf/GHSA-9ghp-w2hm-vfpf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9ghp-w2hm-vfpf
- Published
- 2025-06-17T15:37:56Z
- Modified
- 2025-06-17T15:37:57Z
- Severity
-
- 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- wasmtime_jit_debug Dumps Undefined Memory by `JitDumpFile`
- Details
-
The unsound function
dump_code_load_recordusesfrom_raw_partsto directly convert the pointeraddrandleninto a slice without any validation and that memory block would be dumped.Thus, the 'safe' function dumpcodeload_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow. Otherwise, the function could dump the memory into file illegally, causing memory leak.
Note: this is an internal-only crate in the Wasmtime project not intended for external use and is more strongly signaled nowadays as of bytecodealliance/wasmtime#10963. Please open an issue in Wasmtime if you're using this crate directly.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-119" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-06-17T15:37:56Z" }- References
Affected packages
crates.io / wasmtime-jit-debug
Package
- Name
- wasmtime-jit-debug
- View open source insights on deps.dev
- Purl
- pkg:cargo/wasmtime-jit-debug