RUSTSEC-2024-0442 – wasmtime-jit-debug

Package

Manager: cargo
Name: wasmtime-jit-debug
Vulnerable Version: >=0.0.0-0 <24.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:R

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Dump Undefined Memory by `JitDumpFile` The unsound function `dump_code_load_record` uses `from_raw_parts` to directly convert the pointer `addr` and `len` into a slice without any validation and that memory block would be dumped. Thus, the 'safe' function dump_code_load_record is actually 'unsafe' since it requires the caller to guarantee that the addr is valid and len must not overflow. Otherwise, the function could dump the memory into file illegally, causing memory leak. > **Note**: this is an internal-only crate in the Wasmtime project not intended for external use and is more strongly signaled nowadays as of [bytecodealliance/wasmtime#10963](https://github.com/bytecodealliance/wasmtime/pull/10963). Please open an issue in Wasmtime if you're using this crate directly.

Metadata

Created: 2024-07-06T12:00:00Z
Modified: 2025-06-17T09:04:25Z
Source: https://osv-vulnerabilities
CWE IDs: N/A
Alternative ID: N/A
Finding: F002
Auto approve: 1