CVE-2024-28123 - Vulnerability Details - OpenCVE

Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn’t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00312.

Key SSVC decision points have not yet been added.

Vendors	Products
Wasmi-labs	Wasmi

Configuration 1 [-]

cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-0852	Wasmi Out-of-bounds Write for host to Wasm calls with more than 128 Parameters
Github GHSA	GHSA-75jp-vq8x-h4cq	Wasmi Out-of-bounds Write for host to Wasm calls with more than 128 Parameters

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f
https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1
https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq

History

Mon, 02 Jun 2025 14:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wasmi-labs Wasmi-labs wasmi
CPEs		cpe:2.3:a:wasmi-labs:wasmi::::::rust::*
Vendors & Products		Wasmi-labs Wasmi-labs wasmi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-08T21:29:53.555Z

Updated: 2024-08-05T18:14:48.975Z

Reserved: 2024-03-04T14:19:14.060Z

Link: CVE-2024-28123

Vulnrichment

Updated: 2024-08-02T00:48:49.456Z

NVD

Status : Analyzed

Published: 2024-03-21T02:52:23.827

Modified: 2025-06-02T14:06:34.380

Link: CVE-2024-28123

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-28123", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-04T14:19:14.060Z", "datePublished": "2024-03-08T21:29:53.555Z", "dateUpdated": "2024-08-05T18:14:48.975Z"}, "containers": {"cna": {"title": "Wasmi Out-of-bounds Write for host to Wasm calls with more than 128 Parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq"}, {"name": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f"}, {"name": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1"}], "affected": [{"vendor": "wasmi-labs", "product": "wasmi", "versions": [{"version": ">= 0.15.0, <= 0.31.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-08T21:29:53.555Z"}, "descriptions": [{"lang": "en", "value": "Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn\u2019t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.\n"}], "source": {"advisory": "GHSA-75jp-vq8x-h4cq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.456Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq"}, {"name": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f"}, {"name": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1"}]}, {"affected": [{"vendor": "wasmi-labs", "product": "wasmi", "cpes": ["cpe:2.3:a:wasmi-labs:wasmi:0.15.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0.15.0", "status": "affected", "lessThanOrEqual": "0.31.0", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-05T18:07:36.528954Z", "id": "CVE-2024-28123", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T18:14:48.975Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "name": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "name": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "name": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:48:49.456Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-28123", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-05T18:07:36.528954Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:wasmi-labs:wasmi:0.15.0:*:*:*:*:*:*:*"], "vendor": "wasmi-labs", "product": "wasmi", "versions": [{"status": "affected", "version": "0.15.0", "versionType": "custom", "lessThanOrEqual": "0.31.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-05T18:14:38.592Z"}}], "cna": {"title": "Wasmi Out-of-bounds Write for host to Wasm calls with more than 128 Parameters", "source": {"advisory": "GHSA-75jp-vq8x-h4cq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "wasmi-labs", "product": "wasmi", "versions": [{"status": "affected", "version": ">= 0.15.0, <= 0.31.0"}]}], "references": [{"url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "name": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "name": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "name": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn\u2019t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.\n"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-08T21:29:53.555Z"}}}, "cveMetadata": {"cveId": "CVE-2024-28123", "state": "PUBLISHED", "dateUpdated": "2024-08-05T18:14:48.975Z", "dateReserved": "2024-03-04T14:19:14.060Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-08T21:29:53.555Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wasmi-labs:wasmi:*:*:*:*:*:rust:*:*", "matchCriteriaId": "DAB41919-ADBF-4CC4-B289-F15B7F68460C", "versionEndExcluding": "0.31.1", "versionStartIncluding": "0.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. In the WASMI Interpreter, an Out-of-bounds Buffer Write will arise if the host calls or resumes a Wasm function with more parameters than the default limit (128), as it will surpass the stack value. This doesn\u2019t affect calls from Wasm to Wasm, only from host to Wasm. This vulnerability was patched in version 0.31.1.\n"}, {"lang": "es", "value": "Wasmi es un int\u00e9rprete de WebAssembly eficiente y liviano centrado en sistemas integrados y restringidos. En el int\u00e9rprete WASMI, surgir\u00e1 una escritura de b\u00fafer fuera de los l\u00edmites si el host llama o reanuda una funci\u00f3n Wasm con m\u00e1s par\u00e1metros que el l\u00edmite predeterminado (128), ya que superar\u00e1 el valor de la pila. Esto no afecta las llamadas de Wasm a Wasm, solo del host a Wasm. Esta vulnerabilidad fue parcheada en la versi\u00f3n 0.31.1."}], "id": "CVE-2024-28123", "lastModified": "2025-06-02T14:06:34.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-21T02:52:23.827", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/wasmi-labs/wasmi/commit/f7b3200e9f3dc9e2cbca966cb255c228453c792f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/wasmi-labs/wasmi/releases/tag/v0.31.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/wasmi-labs/wasmi/security/advisories/GHSA-75jp-vq8x-h4cq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}