CVE-2023-51661: 
Rust vulnerability analysis and mitigation

Wasmer, a WebAssembly runtime that enables containers to run anywhere (from Desktop to Cloud, Edge, and browser), was found to have a critical filesystem sandbox vulnerability. The issue, identified as CVE-2023-51661, was discovered on December 22, 2023, affecting versions 3.0.0 through 4.2.3. The vulnerability allows WebAssembly (Wasm) programs to access the filesystem outside of their intended sandbox, potentially exposing the host filesystem to untrusted code (GitHub Advisory).

The vulnerability stems from a design flaw where the current working directory (cwd) is opened by default, contrary to other Wasm runtimes that require explicit directory preopening for host filesystem access. This behavior allows Wasm programs to perform filesystem operations without explicit permissions. For example, a simple Wasm program compiled with wasm32-wasi target can create files in the working directory even when run without the --dir flag (GitHub Issue).

The vulnerability poses significant security risks as service providers running untrusted Wasm code on Wasmer can unexpectedly expose their host filesystem to potential unauthorized access and modification. The issue received a CVSS v3.1 base score of 8.4 (High), with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high potential impact on confidentiality, integrity, and availability (GitHub Advisory).

The vulnerability has been patched in Wasmer version 4.2.4. Users are strongly advised to upgrade to this version to prevent unauthorized filesystem access. The fix ensures proper enforcement of filesystem sandboxing for Wasm programs (GitHub Commit).