A weakness has been identified in WebAssembly wabt up to 1.0.39. This vulnerability affects the function wabt::AST::InsertNode of the file /src/repro/wabt/bin/wasm-decompile of the component wasm-decompile. This manipulation causes memory corruption. It is possible to launch the attack on the local host. The exploit has been made available to the public and could be used for attacks. Unfortunately, the project has no active maintainer at the moment. In a reply to the issue report somebody recommended to the researcher to provide a PR himself.
CVE-2025-15411 exposes a critical memory corruption vulnerability in WebAssembly's wabt library, specifically within the wabt::AST::InsertNode function. This flaw allows for arbitrary code execution through crafted WebAssembly files, potentially leading to system compromise and data exfiltration on vulnerable systems. The lack of an active maintainer for the project exacerbates the risk, making patching difficult and increasing the likelihood of exploitation.
Step 1: Payload Creation: The attacker crafts a malicious WebAssembly (.wasm) file. This file is specifically designed to trigger the wabt::AST::InsertNode vulnerability during the decompilation process.
Step 2: Payload Delivery: The attacker delivers the malicious .wasm file to a vulnerable system. This could be achieved through various means, such as uploading it to a web server, sending it as an email attachment, or exploiting a file upload vulnerability in an application that uses wabt.
Step 3: Decompilation Trigger: The vulnerable application or system attempts to decompile the malicious .wasm file using the wasm-decompile tool from the wabt library.
Step 4: Vulnerability Execution: The wabt::AST::InsertNode function is called during the decompilation process. The crafted .wasm file causes the function to write data outside of allocated memory boundaries, leading to memory corruption.
Step 5: Code Execution (Exploitation): The memory corruption overwrites critical data, such as function pointers or control flow data. The attacker can then control the program's execution flow, potentially leading to arbitrary code execution (ACE) and system compromise.
The vulnerability stems from a memory corruption issue within the wabt::AST::InsertNode function in the wasm-decompile component of the wabt library. The root cause is likely a buffer overflow or heap overflow when handling the insertion of nodes within the Abstract Syntax Tree (AST) during the decompilation process. Specifically, the function fails to properly validate the size or number of elements being inserted, leading to out-of-bounds writes. This can overwrite adjacent memory regions, including critical data structures or even the instruction pointer, allowing an attacker to control program execution. The lack of bounds checking or improper memory allocation within the function allows an attacker to craft a malicious WebAssembly file that triggers the vulnerability. The decompilation process, when encountering this crafted file, will then execute the flawed InsertNode function, leading to the memory corruption.