wasmtime-wasi is vulnerable to Incorrect Authorization
65
Medium Risk
wasmtime-wasi enforces per-preopen file permissions through the WasiCtxBuilder FilePerms setting, but its WASI filesystem implementation only checks directory mutation permissions when creating hard links or renaming files. A guest with a read-only file capability can hard-link or rename that file into a preopen that grants write access, then open the alias for writing to overwrite the original read-only file. This bypasses the FilePerms::READ-only restriction and lets the guest modify host files that were meant to be read-only. The fix makes link and rename operations require matching directory and file permissions between the source and destination preopens.
You are affected if you are using a version that falls within the vulnerable range and your embedding exposes one preopen as read-only files while another preopen permits file writes.
wasmtime-wasi is vulnerable to Incorrect Authorization in versions 0.2.0 - 24.0.10, 25.0.0 - 36.0.11, 37.0.0 - 45.0.2 and 46.0.0 - 46.0.0.
Upgrade the wasmtime-wasi library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant