CVE-2025-53901: 
Rust vulnerability analysis and mitigation

CVE-2025-53901 affects Wasmtime, a runtime for WebAssembly, in versions prior to 24.0.4, 33.0.2, and 34.0.2. The vulnerability was discovered and disclosed on July 18, 2025, impacting Wasmtime's implementation of the WASIp1 set of import functions (GitHub Advisory).

The vulnerability is triggered by a specific sequence of operations in the WASIp1 implementation: calling path_open after calling fd_renumber with either two equal argument values or a second argument equal to a previously-closed file descriptor number value. This creates a corrupt state in fd_renumber that leads to a panic when subsequently opening a file descriptor. The vulnerability has been assigned a CVSS v3.1 base score of 3.5 (Low) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L (GitHub Advisory).

While the vulnerability cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, it can cause a panic in the host (embedder), resulting in a denial-of-service condition. This is particularly impactful when a preopened directory is provided to the guest, which is common in embeddings (GitHub Advisory).

Patch releases have been made available as versions 24.0.4, 33.0.2, and 34.0.2. Users of other releases are recommended to upgrade to a supported release. Embedders using components or those not providing guest access to create more file descriptors (e.g., via a preopened filesystem directory) are not affected. For other cases, updating to a patched version is the only recommended solution (GitHub Advisory, Wasmtime Docs).