WebAssembly Binaryen CVE-2025-14957
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue.
AnalysisAI
Null pointer dereference in WebAssembly Binaryen up to version 125 allows local authenticated users to cause denial of service by manipulating the Index argument in IRBuilder::makeLocalGet, IRBuilder::makeLocalSet, or IRBuilder::makeLocalTee functions. Public exploit code exists, though real-world impact is minimal given the very low EPSS score (0.03%, 7th percentile) and local-access-only attack vector. This vulnerability is low-severity and unlikely to be prioritized for rapid patching in most environments.
Technical ContextAI
Binaryen is a compiler and toolchain infrastructure library for WebAssembly. The vulnerability resides in the IRBuilder component (src/wasm/wasm-ir-builder.cpp), which handles intermediate representation construction during WebAssembly code compilation. The three affected functions (makeLocalGet, makeLocalSet, makeLocalTee) manage local variable access operations in the IR. When the Index argument is manipulated to an invalid value, these functions fail to validate the index bounds against the actual local variable table, resulting in a null pointer dereference (CWE-404: Improper Resource Validation). This occurs at the IR construction stage, before WebAssembly binary generation, and is exploitable only by local users with sufficient privileges to invoke the compiler toolchain.
RemediationAI
Update WebAssembly Binaryen to a version released after commit 6fb2b917a79578ab44cf3b900a6da4c27251e0d4 (released as part of a post-125 release; verify exact version from GitHub releases). Users unable to update immediately should restrict access to the Binaryen compiler toolchain to trusted developers only, as the vulnerability requires local authenticated user access to the build environment. Restricting who can invoke the compiler and what input it accepts will prevent exploitation. Coordinate patching with routine toolchain updates to minimize disruption; this is not a critical patch requiring emergency deployment. Confirm the applied patch via the commit hash 6fb2b917a79578ab44cf3b900a6da4c27251e0d4 visible in your build environment. See GitHub repository (https://github.com/WebAssembly/binaryen/) and patch PR https://github.com/WebAssembly/binaryen/pull/8099 for deployment details.
Share
External POC / Exploit Code
Leaving vuln.today