← back
CVE-2025-15412

WebAssembly wabt wasm-decompile VarName out-of-bounds

CVSS 4.8 MEDIUMEPSS 0.2%CWE-119CWE-125
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 4.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
01 Jan 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A security vulnerability has been detected in WebAssembly wabt up to 1.0.39. This issue affects the function wabt::Decompiler::VarName of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. Such manipulation leads to out-of-bounds read. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
WebAssembly · wabt

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/oneafter/1208/blob/main/af1https://github.com/WebAssembly/wabt/https://github.com/WebAssembly/wabt/issues/2678https://vuldb.com/?ctiid.339333https://vuldb.com/?id.339333https://vuldb.com/?submit.719826