Which versions of Webassembly Micro Runtime are affected by CVE-2025-58749?

CVE-2025-58749 is a low-severity vulnerability in WAMR involving integer overflow (CVSS 2.1).. A patch is available.

Is there a public PoC exploit available for CVE-2025-58749?

Yes, a public proof-of-concept exploit is available for CVE-2025-58749. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-58749?

During next maintenance window: Apply vendor patches when convenient. Verify integer overflow controls are in place.

Webassembly Micro Runtime CVE-2025-58749

Q: What is the CVSS score of CVE-2025-58749?

CVE-2025-58749 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Integer Overflow or Wraparound (CWE-190)

2025-09-16 security-advisories@github.com

Denial Of Service Integer Overflow Webassembly Micro Runtime

2.1

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:12 vuln.today

Patch released

Mar 28, 2026 - 19:12 nvd

Patch available

PoC Detected

Sep 20, 2025 - 02:58 vuln.today

Public exploit code

CVE Published

Sep 16, 2025 - 16:15 nvd

LOW 2.1

DescriptionNVD

WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. In WAMR versions prior to 2.4.2, when running in LLVM-JIT mode, the runtime cannot exit normally when executing WebAssembly programs containing a memory.fill instruction where the first operand (memory address pointer) is greater than or equal to 2147483648 bytes (2GiB). This causes the runtime to hang in release builds or crash in debug builds due to accessing an invalid pointer. The issue does not occur in FAST-JIT mode or other runtime tools. This has been fixed in version 2.4.2.

AnalysisAI

WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Rated low severity (CVSS 2.1), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Integer Overflow (CWE-190), which allows attackers to cause unexpected behavior through arithmetic overflow. WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. In WAMR versions prior to 2.4.2, when running in LLVM-JIT mode, the runtime cannot exit normally when executing WebAssembly programs containing a memory.fill instruction where the first operand (memory address pointer) is greater than or equal to 2147483648 bytes (2GiB). This causes the runtime to hang in release builds or crash in debug builds due to accessing an invalid pointer. The issue does not occur in FAST-JIT mode or other runtime tools. This has been fixed in version 2.4.2. Affected products include: Bytecodealliance Webassembly Micro Runtime. Version information: prior to 2.4.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Validate arithmetic operations, use safe integer libraries, check bounds before allocation.

CVE-2025-58749 vulnerability details – vuln.today

Back