CVE-2025-15412 – An out-of-bounds read vulnerability in wabt's w... (How to Fix)

Q: What is the severity of CVE-2025-15412?

CVE-2025-15412 has a CVSS score of 5.3 (MEDIUM). An out-of-bounds read vulnerability in wabt's wasm-decompile tool allows local attackers to read memory beyond intended boundaries. This affects users who process untrusted WebAssembly files with wabt versions up to 1.0.39. The vulnerability requires local access to exploit.

📋 TL;DR

An out-of-bounds read vulnerability in wabt's wasm-decompile tool allows local attackers to read memory beyond intended boundaries. This affects users who process untrusted WebAssembly files with wabt versions up to 1.0.39. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

WebAssembly Binary Toolkit (wabt)

Versions: Up to and including 1.0.39

Operating Systems: All platforms running wabt

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects the wasm-decompile component when processing malicious WebAssembly files

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potentially including credentials, keys, or other application data in memory

🟠

Likely Case

Application crash or denial of service when processing malicious WebAssembly files

🟢

If Mitigated

Limited impact due to local access requirement and memory read-only nature

🌐 Internet-Facing: LOW - Requires local access to exploit

🏢 Internal Only: MEDIUM - Internal users with access to wasm-decompile tool could exploit

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and ability to run wasm-decompile on malicious files

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None - project has no active maintainer

Vendor Advisory: https://github.com/WebAssembly/wabt/issues/2678

Restart Required: No

Instructions:

No official patch available. Consider community-contributed fixes or alternative tools.

🔧 Temporary Workarounds

Disable wasm-decompile usage

linux

Prevent use of the vulnerable component by removing or restricting access

sudo rm /usr/local/bin/wasm-decompile
chmod 000 /usr/local/bin/wasm-decompile

Use alternative WebAssembly tools

all

Replace wabt with alternative WebAssembly toolkits

🧯 If You Can't Patch

Restrict local user access to systems running wabt
Implement strict input validation for WebAssembly files processed by wasm-decompile

🔍 How to Verify

Check if Vulnerable:

Check wabt version: wasm-decompile --version | grep -q '1\.0\.39\|1\.0\.[0-9]\|1\.0\.[0-3][0-9]'

Check Version:

wasm-decompile --version

Verify Fix Applied:

Verify wasm-decompile is not installed or version is above 1.0.39

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from wasm-decompile
Unusual memory access patterns in system logs

Network Indicators:

None - local exploit only

SIEM Query:

process.name == 'wasm-decompile' AND event.type == 'crash'

📊 Metadata

CVE ID: CVE-2025-15412

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-119

Published: January 1, 2026

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/WebAssembly/wabt/issues/2678 Exploit,Issue Tracking,Vendor Advisory
https://github.com/oneafter/1208/blob/main/af1 Exploit
https://vuldb.com/?ctiid.339333 Permissions Required,VDB Entry
https://vuldb.com/?id.339333 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.719826 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15412, you might also want to check these: