CVE-2025-54126: WAMR iwasm Unintended Network Exposure via Incorrect IPv4 Address Handling
🔍 TL;DR Summary
A vulnerability exists in WebAssembly Micro Runtime (WAMR) iwasm versions 2.4.0 and below. The --addr-pool argument, when used with an IPv4 address lacking a subnet mask, allows the system to accept connections from all IP addresses. This can lead to unintended network exposure, bypassing intended access restrictions. Update to version 2.4.1 to resolve this issue.
🚨 Vulnerability Details
CVE ID
CVE-2025-54126
Description
The WebAssembly Micro Runtime's (WAMR) iwasm package, which is the executable binary built with WAMR VMcore supporting WebAssembly System Interface (WASI) and command line interface, is vulnerable. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, causing the system to accept all IP addresses. This can unintentionally expose the service to all incoming connections and bypass intended access restrictions.
CVSS Score and Vector
CVSS 4.0: 6.9 (Medium)
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Explanation: This CVSS score indicates a medium severity vulnerability where an attacker on the network can potentially gain limited access to confidential information without needing any privileges or user interaction. The impact on data integrity and availability is none, but there is some impact to the confidentiality and availability of system components.
Exploit Requirements
An attacker must be able to connect to the iwasm service on the affected host.
Affected Vendor, Product, Version
- Vendor: WebAssembly Micro Runtime
- Product: iwasm
- Version: <= 2.4.0
CWE
CWE-668: Exposure of Resource to Wrong Sphere
Explanation: CWE-668 refers to situations where a system resource (like a network service) is unintentionally exposed to a broader scope than intended, leading to potential unauthorized access or modification.
📅 Timeline of Events
- Date: 2025-07-29
- Event: CVE Reported and Published
🧠 Exploitability & Real-World Risk
This vulnerability is relatively easy to exploit if the iwasm service is configured to use --addr-pool without a proper subnet mask. An attacker on the same network (or even the internet, depending on firewall configurations) could potentially connect to the service, bypassing intended IP-based access restrictions. This is especially concerning in production environments where iwasm is used to host sensitive applications.
🛠️ Recommendations
- Upgrade to WAMR iwasm version 2.4.1 or later.
- When using the
--addr-poolargument, always specify a subnet mask (e.g.,127.0.0.1/32for localhost only). - Review your network configuration to ensure that only authorized clients can access the iwasm service.
🧪 Technical Insight
The vulnerability stems from the way iwasm parses and interprets the --addr-pool argument. When an IPv4 address is provided without a subnet mask, the system defaults to accepting connections from any IP address. By providing a subnet mask, you explicitly define the range of IP addresses that are allowed to connect.
🙌 Credit to Researcher(s)
GitHub Security Advisory
🔗 References
🧵 Tags
WAMR, iwasm, WebAssembly, CVE-2025-54126, Network Exposure, Security Vulnerability, IPv4 Address, Subnet Mask
Summary: A vulnerability exists in WAMR iwasm <= 2.4.0 where using --addr-pool without a subnet mask exposes the service to all IPs. Upgrade to 2.4.1 and use subnet masks for access control.
CVE ID: CVE-2025-54126
Risk Analysis: This vulnerability can lead to unauthorized access to the iwasm service, potentially compromising sensitive applications and data.
Recommendation: Upgrade to WAMR iwasm version 2.4.1 or later. When using the --addr-pool argument, always specify a subnet mask.
Timeline
- 2025-07-29: CVE Reported and Published