Which versions of WebAssembly are affected by CVE-2025-6274?

CVE-2025-6274 is a low-severity vulnerability in WebAssembly wabt involving resource exhaustion (CVSS 3.3).. A patch is available.

Is there a public PoC exploit available for CVE-2025-6274?

Yes, a public proof-of-concept exploit is available for CVE-2025-6274. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2025-6274?

During next maintenance window: Apply vendor patches when convenient. Verify denial of service controls are in place.

WebAssembly CVE-2025-6274

Q: What is the CVSS score of CVE-2025-6274?

CVE-2025-6274 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2025-18693 LOW

Uncontrolled Resource Consumption (CWE-400)

2025-06-19 cna@vuldb.com

Denial Of Service

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Ubuntu

MEDIUM

qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:11 NVD

3.3 (LOW) 1.9 (LOW)

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 15, 2026 - 00:08 euvd

EUVD-2025-18693

Analysis Generated

Mar 15, 2026 - 00:08 vuln.today

PoC Detected

Jul 02, 2025 - 18:33 vuln.today

Public exploit code

CVE Published

Jun 19, 2025 - 19:15 nvd

LOW 3.3

DescriptionCVE.org

A vulnerability was found in WebAssembly wabt up to 1.0.37. It has been classified as problematic. Affected is the function OnDataCount of the file src/interp/binary-reader-interp.cc. The manipulation leads to resource consumption. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. A similar issue reported during the same timeframe was disputed by the code maintainer because it might not affect "real world wasm programs". Therefore, this entry might get disputed as well in the future.

Analysis

Vendor StatusVendor

Ubuntu

Priority: Medium

wabt

Release	Status	Version
noble	needs-triage	-
plucky	ignored	end of life, was needs-triage
upstream	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-

Debian

wabt

Release	Status	Fixed Version	Urgency
bullseye	vulnerable	1.0.20-1	-
bookworm	vulnerable	1.0.32-1	-
forky, sid, trixie	vulnerable	1.0.36+dfsg+~cs1.0.36-2	-
(unstable)	fixed	(unfixed)	unimportant

CVE-2025-6274 vulnerability details – vuln.today

Back

WebAssembly CVE-2025-6274

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Analysis

Vendor StatusVendor

Ubuntu

Debian

Share

External POC / Exploit Code