CVE-2024-51745: 
Rust vulnerability analysis and mitigation

Wasmtime, a fast and secure runtime for WebAssembly, contains a vulnerability (CVE-2024-51745) discovered in November 2024. The vulnerability affects Wasmtime's filesystem sandbox implementation on Windows, which fails to block access to special device filenames using superscript digits (e.g., 'COM¹', 'COM²', 'LPT⁰', 'LPT¹'). This affects versions up to 24.0.1, 25.0.2, and 26.0.0 (GitHub Advisory).

The vulnerability stems from an incomplete implementation of Windows device filename blocking in Wasmtime's sandbox. While the sandbox blocks standard device filenames like 'COM1' and 'LPT1', it fails to block their superscript digit variants. Windows recognizes these superscript digits (¹, ², ³) as valid parts of device names, making them reserved in every directory. The vulnerability has been assigned a CVSS v4.0 score of 2.3 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N (GitHub Advisory).

Untrusted WebAssembly programs with access to any filesystem directory can bypass the sandbox and access peripheral devices through these special device filenames. This access extends to modems, printers, network printers, and any device connected to a serial or parallel port, including emulated USB serial ports (GitHub Advisory).

Patch releases have been issued as Wasmtime versions 24.0.2, 25.0.3, and 26.0.1. Users of Wasmtime 23.0.x and prior versions are recommended to upgrade to one of these patched versions. There are no known workarounds for this issue, and affected Windows users must upgrade to a patched version (GitHub Advisory).