Loading
Generated remediation guidance and an executive summary. No account required.
The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. Anyone running WAMR up to and including version 2.2.0 or WAMR built with libc-uvwasi on Windows is affected by a symlink following vulnerability. On WAMR running in Windows, creating a symlink pointing outside of the preopened directory and subsequently opening it with create flag will create a file on host outside of the sandbox. If the symlink points to an existing host file, it's also possible to open it and read its content. Version 2.3.0 fixes the issue.
Cite this page
CVE-2025-43853. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2025-43853
Use CWE-61, Bytecodealliance vendor hub and Webassembly Micro Runtime product page to widen CVE-2025-43853 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2024-25431, CVE-2024-27532 and CVE-2024-34251 for nearby disclosures in the same product family.