CVE-2025-62711: 
Rust vulnerability analysis and mitigation

CVE-2025-62711 affects Wasmtime, a runtime for WebAssembly, in versions 38.0.0 through 38.0.2. The vulnerability was discovered and disclosed on October 24, 2025, impacting the component-model related host-to-wasm trampolines implementation (GitHub Advisory).

The vulnerability stems from a refactoring of host-to-wasm trampolines where component-model intrinsics were not properly updated. When an error occurs during wasm execution, the system attempts to read runtime data that isn't present, potentially leading to a crash. For example, trap handling data intended to be updated by trampolines during execution remains set to 0, causing execution to jump to the null address and trigger a segfault. The vulnerability has been assigned a CVSS v4.0 base score of 2.1 (Low) with vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L (GitHub Advisory).

The vulnerability can result in a host crash with a segfault or assert failure when specific conditions are met. However, exploitation requires carefully crafted components, specific host embedder configurations using the right type signatures, and a host that updated to the affected versions within a specific timeframe. The impact is primarily limited to availability, with no direct effect on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in Wasmtime version 38.0.3. There are no workarounds for affected versions other than upgrading to 38.0.3. Users of version 37.0.x and prior are not affected, and embeddings that only work with core wasm are also not impacted (GitHub Advisory).