Vulnerability Details CVE-2025-64713
WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, an out-of-bounds array access issue exists in WAMR's fast interpreter mode during WASM bytecode loading. When frame_ref_bottom and frame_offset_bottom arrays are at capacity and a GET_GLOBAL(I32) opcode is encountered, frame_ref_bottom is expanded but frame_offset_bottom may not be. If this is immediately followed by an if opcode that triggers preserve_local_for_block, the function traverses arrays using stack_cell_num as the upper bound, causing out-of-bounds access to frame_offset_bottom since it wasn't expanded to match the increased stack_cell_num. This issue has been patched in version 2.4.4.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.3%
CVSS Severity
CVSS v3 Score 5.1
References
Products affected by CVE-2025-64713
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:-
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.0.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.1.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.1.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.1.2
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.2.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.2.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.2.2
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.2.3
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.3.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.3.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.3.2
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:1.3.3
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.0.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.1.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.1.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.1.2
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.2.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.3.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.3.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.4.0
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.4.1
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.4.2
-
cpe:2.3:a:bytecodealliance:webassembly_micro_runtime:2.4.3