CVE-2025-54126

CVE-2025-54126 is a medium-severity vulnerability in Bytecodealliance Webassembly Micro Runtime with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-668.

Key facts

Description

The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, allowing the system to accept all IP addresses. This can unintentionally expose the service to all incoming connections and bypass intended access restrictions. Services relying on --addr-pool for restricting access by IP may unintentionally become open to all external connections. This may lead to unauthorized access in production deployments, especially when users assume that specifying an IP without a subnet mask implies a default secure configuration. This is fixed in version 2.4.1.

Frequently asked questions

What is CVE-2025-54126?
The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, allowing the system to accept all IP addresses. This can unintentionally expose the service to all incoming connections and bypass intended access restrictions. Services relying on --addr-pool for restricting access by IP may unintentionally become open to all external connections. This may lead to unauthorized access in production deployments, especially when users assume that specifying an IP without a subnet mask implies a default secure configuration. This is fixed in version 2.4.1.
How severe is CVE-2025-54126?
CVE-2025-54126 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2025-54126 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2025-54126?
CVE-2025-54126 affects Bytecodealliance Webassembly Micro Runtime. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2025-54126?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-54126 have an EU (EUVD) identifier?
Yes. CVE-2025-54126 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-23050.
When was CVE-2025-54126 published?
CVE-2025-54126 was published on 2025-07-29 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Bytecodealliance Webassembly Micro Runtime

All CVEs affecting Bytecodealliance Webassembly Micro Runtime →

Other CWE-668 (Exposure of Resource to Wrong Sphere) vulnerabilities

Browse all CWE-668 (Exposure of Resource to Wrong Sphere) vulnerabilities →