CVE-2025-62711 LOW

CVE-2025-62711: Wasmtime vulnerable to segfault when using component resources

Vendor Bytecodealliance
Product wasmtime
Weakness CWE-755
Published October 24, 2025
Last update October 27, 2025

CVSS base score

2.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

What the vulnerability does

01Description

Wasmtime is a runtime for WebAssembly. In versions from 38.0.0 to before 38.0.3, the implementation of component-model related host-to-wasm trampolines in Wasmtime contained a bug where it's possible to carefully craft a component, which when called in a specific way, would crash the host with a segfault or assert failure. Wasmtime 38.0.3 has been released and is patched to fix this issue. There are no workarounds.

Key dates

02Disclosure timeline

October 24, 2025 CVE published
October 27, 2025 Record updated