cvedb.io
CVE-2024-51745
CRITICAL · CVSS 10
EPSS exploitation probability: 0%
Published 2024-11-05T22:15:21.643 · Last modified 2026-06-17T08:06:14.230

Summary

Wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's filesystem sandbox implementation on Windows blocks access to special device filenames such as "COM1", "COM2", "LPT0", "LPT1", and so on, however it did not block access to the special device filenames which use superscript digits, such as "COM¹", "COM²", "LPT⁰", "LPT¹", and so on. Untrusted Wasm programs that are given access to any filesystem directory could bypass the sandbox and access devices through those special device filenames with superscript digits, and through them gain access peripheral devices connected to the computer, or network resources mapped to those devices. This can include modems, printers, network printers, and any other device connected to a serial or parallel port, including emulated USB serial port

Affected products

bytecodealliance — wasmtime

Does this affect you?

Add your gear to cvedb and we'll alert you only when bytecodealliance ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.