CVE-2025-14957

EUVD-2025-204582

19.12.2025, 17:15

A vulnerability was identified in WebAssembly Binaryen up to 125. This affects the function IRBuilder::makeLocalGet/IRBuilder::makeLocalSet/IRBuilder::makeLocalTee of the file src/wasm/wasm-ir-builder.cpp of the component IRBuilder. Such manipulation of the argument Index leads to null pointer dereference. Local access is required to approach this attack. The exploit is publicly available and might be used. The name of the patch is 6fb2b917a79578ab44cf3b900a6da4c27251e0d4. Applying a patch is advised to resolve this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
VulDB	CNA	3.3 LOW				CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 4%

Affected Products (NVD)

Vendor	Product	Version
webassembly	binaryen	𝑥 ≤ 125

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

binaryen

bookworm	unimportant
bullseye	unimportant
forky	unimportant
sid	unimportant
trixie	unimportant

Ubuntu Releases

Ubuntu Product

Codename

binaryen

focal	needs-triage
jammy	needs-triage
noble	needs-triage
plucky	ignored
questing	needs-triage

Known Exploits!

https://github.com/WebAssembly/binaryen/issues/8090

Common Weakness Enumeration

References

https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4

https://github.com/WebAssembly/binaryen/issues/8090

https://github.com/WebAssembly/binaryen/pull/8099

https://github.com/oneafter/1204/blob/main/af1

https://vuldb.com/?ctiid.337593

https://vuldb.com/?id.337593

https://vuldb.com/?submit.717317

https://vuldb.com/?submit.717319