wasmtime is vulnerable to Improper Access Control
75
High Risk
The wasmtime package ships the precompiled Wasmtime runtime, whose WASI filesystem layer enforces per-directory and per-file permissions on preopened directories. When a host preopens a directory with writable directory permissions but read-only file permissions, a guest module can call path_open using only the truncate flag to open and truncate a file that should be read-only, because the truncate path is not treated as a write for the permission check. This lets sandboxed WebAssembly modules destroy or overwrite file contents the embedder intended to expose read-only. The fix marks truncating opens as writes so the file-permission check rejects them.
You are affected if you are using a version that falls within the vulnerable range and your application preopens a WASI directory with writable directory permissions but read-only file permissions.
wasmtime is vulnerable to Improper Access Control in versions 27.0.0 - 44.0.0.
Upgrade the wasmtime library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant